What is CVE-2020-1472 Vulnerability?
CVE-2020-1472, famously known as "Zerologon," is a critical elevation of privilege vulnerability found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). This flaw allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. In short, it allows a malicious actor to become the domain administrator with terrifying ease. Think of it as leaving the master key to your entire kingdom under the doormat.
When was it Discovered?
The Zerologon vulnerability was discovered by Tom Tervoort of Secura, a Dutch security company. It was responsibly disclosed to Microsoft, and a patch was released as part of the August 11, 2020, Patch Tuesday. Public disclosure and the technical details that made headlines followed in September 2020, sending IT teams everywhere scrambling to patch their domain controllers.
Affected Products & Versions
This vulnerability affects a wide range of Windows Server versions. If you're running any of the products listed below, patching is not optional—it's critical.
Product | Versions Affected | Fixed Versions / Patch Links |
Windows Server 2008 R2 for x64-based Systems (Service Pack 1) | Standard, Enterprise, Datacenter | August 11, 2020, Security Update (KB4571729) |
Windows Server 2012 | Standard, Essentials, Datacenter | August 11, 2020, Security Update (KB4571723) |
Windows Server 2012 R2 | Standard, Essentials, Datacenter | August 11, 2020, Security Update (KB4571703) |
Windows Server 2016 | Standard, Essentials, Datacenter | August 11, 2020, Security Update (KB4571694) |
Windows Server 2019 | Standard, Datacenter | August 11, 2020, Security Update (KB4565349) |
Windows Server, version 1903 (Server Core installation) | All editions | August 11, 2020, Security Update (KB4565351) |
Windows Server, version 1909 (Server Core installation) | All editions | August 11, 2020, Security Update (KB4565351) |
Windows Server, version 2004 (Server Core installation) | All editions | August 11, 2020, Security Update (KB4565351) |
CVE-2020-1472 Technical Description
Let's get into the weeds. The CVE-2020-1472 vulnerability exists because of a flaw in the cryptographic authentication scheme used by the Netlogon Remote Protocol. This protocol authenticates users and machines in a domain-based network. Specifically, the issue lies in the AES-CFB8 encryption mode used during the Netlogon authentication process.
An attacker can exploit this by sending a number of Netlogon messages where the client credential fields are filled with zeroes. Due to the cryptographic flaw, there is a 1-in-256 chance that this all-zero plaintext will encrypt to an all-zero ciphertext. By repeatedly attempting this (which takes only a few seconds), an attacker can successfully spoof the identity of any computer on the network, including the domain controller itself. Once authenticated as the domain controller, the attacker can reset the domain controller's machine account password in Active Directory to a known value, effectively taking over the domain.
Tactics, Techniques & Procedures (TTPs)
Threat actors exploiting Zerologon typically follow a clear path. First, they gain initial access to the internal network. From there, they identify a vulnerable domain controller. The core of the attack involves sending specially crafted Netlogon authentication requests to the DC. After a few thousand attempts, they hit the jackpot, spoof the DC's identity, and reset its password. With the new password, they can dump all domain credentials (hello, NTDS.dit), create new domain admin accounts, and deploy ransomware or exfiltrate data. It's a full-blown hostile takeover.
Indicators of Compromise
Detecting a CVE-2020-1472 exploit requires a sharp eye on your logs. Key indicators of compromise (IOCs) include a sudden spike in Netlogon authentication traffic from a single source to a domain controller. You should also monitor for Event ID 4742, which indicates a computer account password was changed, especially if it's the domain controller's own account. Unexplained password resets or the creation of new high-privilege accounts are massive red flags.
Known Proof-of-Concepts & Exploits
It didn't take long for security researchers and, unfortunately, threat actors to develop and release proof-of-concept (PoC) exploit scripts for Zerologon. Multiple PoCs became publicly available on platforms like GitHub shortly after the technical details were published. These scripts automated the entire attack process, making it trivial for even low-skilled attackers to execute. Ransomware groups, like Ryuk and Egregor, quickly weaponized these exploits, incorporating them into their attack chains to gain domain-wide control and deploy their payloads.
How to Detect CVE-2020-1472 Vulnerability?
Detection relies on a mix of proactive scanning and active monitoring. You can use vulnerability scanners to identify unpatched domain controllers within your network. For host-based detection, monitor Windows Event Logs for signs of an attack. Specifically, look for Event ID 4624 (successful logon) from an anomalous source, immediately followed by Event ID 4742 (a computer account was changed) for the domain controller. SIEM solutions can be configured with rules to correlate these events and trigger alerts. A query looking for Netlogon error code 0xc0000022 (STATUS_ACCESS_DENIED) followed by a successful login from the same source can also indicate an attempted exploit.
Impact & Risk of CVE-2020-1472 Vulnerability
The impact of a successful Zerologon exploit is about as bad as it gets. It's a total compromise. An attacker can elevate their privileges to Domain Administrator, the highest level of authority in a Windows domain. This gives them complete control over the entire network infrastructure. They can deploy ransomware across every system, steal sensitive data, delete backups, and create persistent backdoors. For a business, this means catastrophic operational disruption, massive financial loss, and severe reputational damage. The CVSS score of 10.0 (Critical) is not an exaggeration.
Mitigation & Remediation Strategies
If you haven't patched this yet, drop everything and do it now. Seriously.
Patch Immediately: The primary mitigation is to apply the security updates released by Microsoft in August 2020 and the subsequent enforcement phase patches from February 2021. This is the most effective way to close the door on this vulnerability.
Enable Full Secure RPC Enforcement: The patches were rolled out in two phases. The initial patch introduced new event logs to identify non-compliant devices. The second phase, starting February 9, 2021, enabled full enforcement mode, which blocks vulnerable connections from non-compliant devices. Ensure your domain controllers are in enforcement mode.
Monitor Your Logs: Keep a close watch on your domain controller event logs. Tools like a robust EDR (Endpoint Detection and Response) solution can help automate the detection of suspicious activity related to Netlogon authentication failures and password resets.
Network Segmentation: As a general best practice, limit which devices can communicate with your domain controllers. Proper network segmentation can prevent an attacker who has gained a foothold on a workstation from being able to reach a DC and attempt the exploit.
CVE-2020-1472 Vulnerability FAQs
Protect What Matters
