Zerologon (CVE-2020-1472)
What is Zerologon (CVE-2020-1472)?
Zerologon (CVE-2020-1472)A cryptographic flaw in Microsoft's Netlogon protocol that lets a network attacker reset a Domain Controller's machine password and seize Active Directory.
Zerologon, tracked as CVE-2020-1472, is a critical Elevation-of-Privilege vulnerability in Microsoft Netlogon Remote Protocol disclosed by Secura in August 2020. The bug stems from the misuse of AES-CFB8 with an all-zero IV during Netlogon authentication, letting an attacker on the corporate network impersonate any domain-joined computer, including a Domain Controller. By repeatedly sending forged authentication attempts, an attacker can reset the DC's machine account password to an empty value, then dump credentials and obtain Domain Admin in minutes. CISA issued an emergency directive and Microsoft released a phased patch enforcing secure RPC by February 2021. Ransomware and APT groups exploited Zerologon extensively against unpatched networks.
● Examples
- 01
An attacker on the LAN runs a Zerologon exploit, resets the DC password and uses DCSync to extract all hashes.
- 02
Defenders set DC enforcement mode and monitor 5829 / 5827 Netlogon events while patching legacy devices.
● Frequently asked questions
What is Zerologon (CVE-2020-1472)?
A cryptographic flaw in Microsoft's Netlogon protocol that lets a network attacker reset a Domain Controller's machine password and seize Active Directory. It belongs to the Vulnerabilities category of cybersecurity.
What does Zerologon (CVE-2020-1472) mean?
A cryptographic flaw in Microsoft's Netlogon protocol that lets a network attacker reset a Domain Controller's machine password and seize Active Directory.
How does Zerologon (CVE-2020-1472) work?
Zerologon, tracked as CVE-2020-1472, is a critical Elevation-of-Privilege vulnerability in Microsoft Netlogon Remote Protocol disclosed by Secura in August 2020. The bug stems from the misuse of AES-CFB8 with an all-zero IV during Netlogon authentication, letting an attacker on the corporate network impersonate any domain-joined computer, including a Domain Controller. By repeatedly sending forged authentication attempts, an attacker can reset the DC's machine account password to an empty value, then dump credentials and obtain Domain Admin in minutes. CISA issued an emergency directive and Microsoft released a phased patch enforcing secure RPC by February 2021. Ransomware and APT groups exploited Zerologon extensively against unpatched networks.
How do you defend against Zerologon (CVE-2020-1472)?
Defences for Zerologon (CVE-2020-1472) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Zerologon (CVE-2020-1472)?
Common alternative names include: CVE-2020-1472, Netlogon EoP.
● Related terms
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.