How can an attacker decrypt the cpassword field found in Groups.xml or similar GPO files?

Microsoft encrypts the cpassword value using AES-256 but publicly disclosed the private key. Attackers can decrypt it using PowerShell, for example via the Get-GPPPassword.ps1 script from PowerSploit, or by implementing the decryption routine manually. The plaintext password is then revealed, as demonstrated in the article with the password 'domain123!'. This technique is detailed in Domain Penetration - Recovering Passwords Stored in Group Policy via SYSVOL.