An attacker exploiting the security issue could relay NTLM authentication to Active Directory Certificate Services (ADCS) to obtain a user certificate for further domain authentication.