Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 1407

Zerologon (CVE-2020-1472)

Reviewed byCybersecurity entrepreneur & security researcher

What is Zerologon (CVE-2020-1472)?

Zerologon (CVE-2020-1472)A cryptographic flaw in Microsoft's Netlogon protocol that lets a network attacker reset a Domain Controller's machine password and seize Active Directory.


Zerologon (CVE-2020-1472, CVSS 10.0) is a critical elevation-of-privilege flaw in the Microsoft Netlogon Remote Protocol (MS-NRPC). Microsoft patched it in the August 2020 Patch Tuesday, and Secura's Tom Tervoort published the full technical analysis on 11 September 2020. The root cause is the insecure use of AES-CFB8: the ComputeNetlogonCredential function fixes the initialization vector to all zeros instead of randomising it. With an all-zero IV and all-zero plaintext, the ciphertext is all zeros roughly 1 in 256 times — so an unauthenticated attacker on the network can impersonate any domain-joined machine, including a Domain Controller, by simply retrying.

After bypassing authentication, the attacker uses a Netlogon call to reset the DC's machine-account password to an empty value, then performs DCSync to dump every credential hash (including krbtgt) and obtain Domain Admin within minutes. Note that resetting the DC password desynchronises it from Active Directory, which can break the DC if not restored. CISA issued Emergency Directive 20-04, and Microsoft enforced secure RPC by default in the February 2021 update. Ransomware operators (including Ryuk) and APTs weaponised it rapidly. Defences: apply both the August 2020 and February 2021 updates, enable DC enforcement mode, and monitor Event IDs 5827/5829 for vulnerable Netlogon connections.

flowchart TD
  A[Unauthenticated attacker on LAN] -->|"Forged Netlogon auth, all-zero IV"| B[Domain Controller]
  B --> C{"Ciphertext = 0?<br/>(~1 in 256)"}
  C -->|No| A
  C -->|Yes| D[Authentication bypassed<br/>impersonate DC machine account]
  D --> E[Reset DC machine password<br/>to empty value]
  E --> F[DCSync: dump all hashes<br/>incl. krbtgt → Domain Admin]

Examples

  1. 01

    An attacker on the LAN runs a Zerologon exploit, resets the DC password and uses DCSync to extract all hashes.

  2. 02

    Defenders set DC enforcement mode and monitor 5829 / 5827 Netlogon events while patching legacy devices.

Frequently asked questions

What is Zerologon (CVE-2020-1472)?

A cryptographic flaw in Microsoft's Netlogon protocol that lets a network attacker reset a Domain Controller's machine password and seize Active Directory. It belongs to the Vulnerabilities category of cybersecurity.

What does Zerologon (CVE-2020-1472) mean?

A cryptographic flaw in Microsoft's Netlogon protocol that lets a network attacker reset a Domain Controller's machine password and seize Active Directory.

How do you defend against Zerologon (CVE-2020-1472)?

Defences for Zerologon (CVE-2020-1472) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Zerologon (CVE-2020-1472)?

Common alternative names include: CVE-2020-1472, Netlogon EoP.

Related terms