Impact of the Zero-Day (mentioned here: https://t.me/ckuRED/231).
Enrollment: An adversary can issue a certificate from the CA and later use that for hosting fake websites that all the clients of that firm under attack will automatically trust.
Revocation: An adversary can bring down any website /application by just getting the public certificate of that application.
Optionally, if you have to plan big, discover all applications, download the public certificate, and at once revoke all.
https://t.me/cKure/12030