The Windows CryptoAPI, which verifies public key certificates, has a major vulnerability (CVE-2022-34689) for which Akamai researchers have released a proof-of-concept exploit.
When they issued updates for vulnerable Windows and Windows Server versions in October 2022, Microsoft stated that an attacker “may alter an existing public x.509 certificate to impersonate their identity and conduct operations like as authentication or code signing as the targeted certificate.” The vulnerability was technically corrected in August 2022, but it wasn’t discovered until two months later, perhaps to prevent attackers from being warned before the security patches are widely used.