CVE-2020-1472
CVE-2020-1472 is a medium-severity vulnerability in Microsoft Windows Server 1903 with a CVSS 3.x base score of 5.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- CVSS v2: 9.3
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2020-12346
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Affected product: Microsoft Windows Server 1903
- Published:
- Last modified:
Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Zerologon (CVE-2020-1472): Netlogon Elevation of Privilege Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2020-1472 |
| Published | 2020-08-17 |
| Last Modified | 2026-06-17 |
| CVSS v2 | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) |
| EPSS | 99.51% (percentile: 99.94%) |
| CISA KEV | Yes (added 2021-11-03) |
| Known As | Zerologon |
Summary
CVE-2020-1472, widely known as Zerologon, is a critical elevation-of-privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC). An unauthenticated attacker on the network can exploit a cryptographic flaw in the Netlogon secure channel to impersonate any computer account, including a domain controller, and ultimately gain domain administrator privileges. Microsoft addressed this vulnerability through a phased two-part update rollout, with the second phase enforcing secure RPC requirements in Q1 2021.
Background
Netlogon is a Windows service that authenticates users and other services within a domain environment. It uses a custom remote procedure call (RPC) protocol (MS-NRPC) to establish a secure channel between domain members and domain controllers for transmitting sensitive authentication credentials. The protocol relies on AES-CFB8 encryption with a client-chosen initialization vector (IV). In 2020, researchers at Secura discovered that when the client sends an IV consisting of 16 zero bytes, there is a 1-in-256 chance that the resulting ciphertext will also be all zeros, allowing authentication bypass. This weakness, combined with the lack of mandatory signing in certain Netlogon operations, enabled the Zerologon attack.
Root Cause
The vulnerability stems from a cryptographic design flaw in MS-NRPC:
- Predictable IV Usage: The Netlogon protocol allowed the client to specify the AES-CFB8 initialization vector. An all-zero IV weakens the encryption to a point where the ciphertext can be trivially manipulated.
- Missing Signature Validation: Certain Netlogon functions did not require RPC message signing, allowing an attacker to modify Netlogon messages in transit without detection.
- Account Brute-Forcing: By repeatedly sending Netlogon authentication requests with an all-zero client credential (taking advantage of the 1-in-256 probability), an attacker could eventually authenticate as any computer account, including the domain controller itself.
The CWE is not explicitly assigned in the NVD record, but the weakness aligns most closely with CWE-326: Inadequate Encryption Strength and CWE-306: Missing Authentication for Critical Function.
Impact
The impact of successful exploitation is severe and domain-wide:
- Domain Compromise: An attacker can reset the password of the domain controller’s computer account in Active Directory, then use those credentials to obtain domain administrator privileges.
- Lateral Movement: With domain admin access, the attacker can move laterally across the entire network, access sensitive data, deploy malware, and establish persistent backdoors.
- Credential Harvesting: The attacker can extract NTDS.dit (the Active Directory database) and crack or reuse credentials for long-term access.
The CVSS v2 vector AV:N/AC:M/Au:N/C:C/I:C/A:C (score 9.3) reflects network accessibility, medium attack complexity (due to the probabilistic nature), no authentication required, and complete compromise of confidentiality, integrity, and availability.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. The exploit requires network access to a domain controller. Do not attempt these techniques on systems you do not own or have explicit authorization to test.
The Zerologon attack proceeds in three conceptual stages:
- Authentication Bypass: The attacker sends multiple Netlogon authentication messages to the domain controller with an all-zero client credential field. Due to the AES-CFB8 IV flaw, approximately 1 in 256 attempts will succeed, granting the attacker a valid Netlogon session.
- Password Reset: Using the established session, the attacker invokes the
NetrServerPasswordSet2RPC function to change the domain controller’s computer account password in Active Directory to a known value (often an empty or attacker-controlled hash). - Privilege Escalation: With the compromised domain controller account, the attacker uses standard Windows tools (e.g.,
secretsdump.pyfrom Impacket) to extract NTLM hashes from the domain, including the KRBTGT account, enabling Golden Ticket attacks and full domain compromise.
Public proof-of-concept code has been widely available since September 2020, and the vulnerability has been actively exploited in the wild by multiple threat actors, including ransomware groups.
Affected and Patched Versions
Affected Products
The following platforms and products are confirmed vulnerable:
- Microsoft Windows Server:
- Windows Server 2008 R2 SP1 (x64)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 1903, 1909, 2004, 20H2
- Third-Party Implementations:
- Samba (all versions implementing vulnerable Netlogon RPC)
- Synology Directory Server
- Oracle ZFS Storage Appliance Kit 8.8
- Debian Linux 9.0 (and other distributions shipping affected Samba builds)
Patched Versions
- Microsoft released patches in August 2020 (KB updates) as part of a phased rollout:
- Phase 1 (August 2020): Patches that fix the vulnerability and add DC enforcement mode (configurable).
- Phase 2 (Q1 2021): Enforcement mode becomes mandatory, blocking vulnerable Netlogon secure channel connections.
- Linux distributions (Ubuntu, Debian, SUSE, openSUSE, Fedora, Gentoo) released updated Samba packages in late 2020.
- Synology released patched Directory Server versions in advisory SA-20-21.
- Oracle addressed the issue in the April 2021 Critical Patch Update.
Remediation
- Apply Patches Immediately: Install the latest Windows security updates on all domain controllers. For non-Microsoft implementations, update Samba and affected packages to vendor-recommended versions.
- Enable Enforcement Mode: On patched Windows domain controllers, ensure the
FullSecureChannelProtectionregistry setting is enabled (this became the default in Phase 2 updates) to block vulnerable connections. - Audit Netlogon Traffic: Use the
Netlogon.logdebug log on domain controllers to identify devices making vulnerable Netlogon connections. Microsoft provides PowerShell scripts to parse these logs. - Compensating Controls:
- Network Segmentation: Restrict access to domain controllers to authorized administrative hosts only.
- Monitor for Exploitation: Deploy detections for anomalous Netlogon RPC traffic, multiple failed authentication attempts, and computer account password changes from unexpected sources.
- Disable SMBv1 and Legacy Protocols: Reduce the overall attack surface by disabling outdated protocols that are often co-exploited.
Detection
Security teams should monitor for the following indicators of Zerologon exploitation:
- Event ID 5805 on domain controllers: "The session setup from the computer %1 failed to authenticate."
- Event ID 5722: "The machine account %1 failed to authenticate."
- Netlogon.log entries showing
0xC0000022(STATUS_ACCESS_DENIED) or successful authentication from unexpected IPs after a series of failures. - Network traffic: Unusually high volumes of Netlogon (port 445/SMB or RPC dynamic ports) authentication attempts from a single source.
- SIEM rules: Correlate multiple failed Netlogon attempts followed by a password reset event on a domain controller computer account.
Assessment
Zerologon is one of the most consequential Windows vulnerabilities of the past decade. With an EPSS score of 99.51%, it is virtually guaranteed to be exploited in the wild on unpatched systems. Its inclusion in the CISA Known Exploited Vulnerabilities catalog and active use by ransomware operators underscores the urgency of remediation.
Key Lessons:
- Custom Cryptography is Dangerous: The Netlogon AES-CFB8 implementation was non-standard and lacked basic protections. Protocol designers should rely on well-vetted cryptographic libraries and avoid client-controlled IVs.
- Phased Rollouts Carry Risk: Microsoft’s two-phase patch strategy, while necessary for compatibility, created an extended window during which attackers could exploit systems that had not yet enabled enforcement mode. Organizations should not delay applying Phase 1 patches or enabling protective registry settings.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://www.kb.cert.org/vuls/id/490028
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1472
- http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
- https://usn.ubuntu.com/4510-1/
- https://usn.ubuntu.com/4510-2/
- https://security.gentoo.org/glsa/202012-24
- https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html
- https://www.synology.com/security/advisory/Synology_SA_20_21
- https://www.oracle.com/security-alerts/cpuApr2021.html
Frequently asked questions
- What is CVE-2020-1472?
- An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
- How severe is CVE-2020-1472?
- CVE-2020-1472 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2020-1472 being actively exploited?
- Yes. CVE-2020-1472 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-1472?
- CVE-2020-1472 primarily affects Microsoft Windows Server 1903. In total, 23 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-1472?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-1472 have an EU (EUVD) identifier?
- Yes. CVE-2020-1472 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-12346. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2020-1472 published?
- CVE-2020-1472 was published on 2020-08-17 and last updated on 2026-06-17.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html
- http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html
- http://www.openwall.com/lists/oss-security/2020/09/17/2
- https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://security.gentoo.org/glsa/202012-24
- https://usn.ubuntu.com/4510-1/
- https://usn.ubuntu.com/4510-2/
- https://usn.ubuntu.com/4559-1/
- https://www.kb.cert.org/vuls/id/490028
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.synology.com/security/advisory/Synology_SA_20_21
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1472
Affected products (23)
- cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2004:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_20h2:-:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:a:synology:directory_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows Server 1903
- CVE-2020-0796 — Critical (CVSS 10.0): A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol…
- CVE-2020-1020 — High (CVSS 8.8): A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library…
- CVE-2019-0903 — High (CVSS 8.8): A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles…
- CVE-2020-0601 — High (CVSS 8.1): A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC)…
- CVE-2020-1464 — High (CVSS 7.8): A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully…
- CVE-2020-0986 — High (CVSS 7.8): An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka…