CVE-2020-1472

CVE-2020-1472 is a medium-severity vulnerability in Microsoft Windows Server 1903 with a CVSS 3.x base score of 5.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).

Key facts

Description

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Zerologon (CVE-2020-1472): Netlogon Elevation of Privilege Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2020-1472
Published 2020-08-17
Last Modified 2026-06-17
CVSS v2 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS v3 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
EPSS 99.51% (percentile: 99.94%)
CISA KEV Yes (added 2021-11-03)
Known As Zerologon

Summary

CVE-2020-1472, widely known as Zerologon, is a critical elevation-of-privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC). An unauthenticated attacker on the network can exploit a cryptographic flaw in the Netlogon secure channel to impersonate any computer account, including a domain controller, and ultimately gain domain administrator privileges. Microsoft addressed this vulnerability through a phased two-part update rollout, with the second phase enforcing secure RPC requirements in Q1 2021.

Background

Netlogon is a Windows service that authenticates users and other services within a domain environment. It uses a custom remote procedure call (RPC) protocol (MS-NRPC) to establish a secure channel between domain members and domain controllers for transmitting sensitive authentication credentials. The protocol relies on AES-CFB8 encryption with a client-chosen initialization vector (IV). In 2020, researchers at Secura discovered that when the client sends an IV consisting of 16 zero bytes, there is a 1-in-256 chance that the resulting ciphertext will also be all zeros, allowing authentication bypass. This weakness, combined with the lack of mandatory signing in certain Netlogon operations, enabled the Zerologon attack.

Root Cause

The vulnerability stems from a cryptographic design flaw in MS-NRPC:

  1. Predictable IV Usage: The Netlogon protocol allowed the client to specify the AES-CFB8 initialization vector. An all-zero IV weakens the encryption to a point where the ciphertext can be trivially manipulated.
  2. Missing Signature Validation: Certain Netlogon functions did not require RPC message signing, allowing an attacker to modify Netlogon messages in transit without detection.
  3. Account Brute-Forcing: By repeatedly sending Netlogon authentication requests with an all-zero client credential (taking advantage of the 1-in-256 probability), an attacker could eventually authenticate as any computer account, including the domain controller itself.

The CWE is not explicitly assigned in the NVD record, but the weakness aligns most closely with CWE-326: Inadequate Encryption Strength and CWE-306: Missing Authentication for Critical Function.

Impact

The impact of successful exploitation is severe and domain-wide:

  • Domain Compromise: An attacker can reset the password of the domain controller’s computer account in Active Directory, then use those credentials to obtain domain administrator privileges.
  • Lateral Movement: With domain admin access, the attacker can move laterally across the entire network, access sensitive data, deploy malware, and establish persistent backdoors.
  • Credential Harvesting: The attacker can extract NTDS.dit (the Active Directory database) and crack or reuse credentials for long-term access.

The CVSS v2 vector AV:N/AC:M/Au:N/C:C/I:C/A:C (score 9.3) reflects network accessibility, medium attack complexity (due to the probabilistic nature), no authentication required, and complete compromise of confidentiality, integrity, and availability.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness only. The exploit requires network access to a domain controller. Do not attempt these techniques on systems you do not own or have explicit authorization to test.

The Zerologon attack proceeds in three conceptual stages:

  1. Authentication Bypass: The attacker sends multiple Netlogon authentication messages to the domain controller with an all-zero client credential field. Due to the AES-CFB8 IV flaw, approximately 1 in 256 attempts will succeed, granting the attacker a valid Netlogon session.
  2. Password Reset: Using the established session, the attacker invokes the NetrServerPasswordSet2 RPC function to change the domain controller’s computer account password in Active Directory to a known value (often an empty or attacker-controlled hash).
  3. Privilege Escalation: With the compromised domain controller account, the attacker uses standard Windows tools (e.g., secretsdump.py from Impacket) to extract NTLM hashes from the domain, including the KRBTGT account, enabling Golden Ticket attacks and full domain compromise.

Public proof-of-concept code has been widely available since September 2020, and the vulnerability has been actively exploited in the wild by multiple threat actors, including ransomware groups.

Affected and Patched Versions

Affected Products

The following platforms and products are confirmed vulnerable:

  • Microsoft Windows Server:
    • Windows Server 2008 R2 SP1 (x64)
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 1903, 1909, 2004, 20H2
  • Third-Party Implementations:
    • Samba (all versions implementing vulnerable Netlogon RPC)
    • Synology Directory Server
    • Oracle ZFS Storage Appliance Kit 8.8
    • Debian Linux 9.0 (and other distributions shipping affected Samba builds)

Patched Versions

  • Microsoft released patches in August 2020 (KB updates) as part of a phased rollout:
    • Phase 1 (August 2020): Patches that fix the vulnerability and add DC enforcement mode (configurable).
    • Phase 2 (Q1 2021): Enforcement mode becomes mandatory, blocking vulnerable Netlogon secure channel connections.
  • Linux distributions (Ubuntu, Debian, SUSE, openSUSE, Fedora, Gentoo) released updated Samba packages in late 2020.
  • Synology released patched Directory Server versions in advisory SA-20-21.
  • Oracle addressed the issue in the April 2021 Critical Patch Update.

Remediation

  1. Apply Patches Immediately: Install the latest Windows security updates on all domain controllers. For non-Microsoft implementations, update Samba and affected packages to vendor-recommended versions.
  2. Enable Enforcement Mode: On patched Windows domain controllers, ensure the FullSecureChannelProtection registry setting is enabled (this became the default in Phase 2 updates) to block vulnerable connections.
  3. Audit Netlogon Traffic: Use the Netlogon.log debug log on domain controllers to identify devices making vulnerable Netlogon connections. Microsoft provides PowerShell scripts to parse these logs.
  4. Compensating Controls:
    • Network Segmentation: Restrict access to domain controllers to authorized administrative hosts only.
    • Monitor for Exploitation: Deploy detections for anomalous Netlogon RPC traffic, multiple failed authentication attempts, and computer account password changes from unexpected sources.
    • Disable SMBv1 and Legacy Protocols: Reduce the overall attack surface by disabling outdated protocols that are often co-exploited.

Detection

Security teams should monitor for the following indicators of Zerologon exploitation:

  • Event ID 5805 on domain controllers: "The session setup from the computer %1 failed to authenticate."
  • Event ID 5722: "The machine account %1 failed to authenticate."
  • Netlogon.log entries showing 0xC0000022 (STATUS_ACCESS_DENIED) or successful authentication from unexpected IPs after a series of failures.
  • Network traffic: Unusually high volumes of Netlogon (port 445/SMB or RPC dynamic ports) authentication attempts from a single source.
  • SIEM rules: Correlate multiple failed Netlogon attempts followed by a password reset event on a domain controller computer account.

Assessment

Zerologon is one of the most consequential Windows vulnerabilities of the past decade. With an EPSS score of 99.51%, it is virtually guaranteed to be exploited in the wild on unpatched systems. Its inclusion in the CISA Known Exploited Vulnerabilities catalog and active use by ransomware operators underscores the urgency of remediation.

Key Lessons:

  1. Custom Cryptography is Dangerous: The Netlogon AES-CFB8 implementation was non-standard and lacked basic protections. Protocol designers should rely on well-vetted cryptographic libraries and avoid client-controlled IVs.
  2. Phased Rollouts Carry Risk: Microsoft’s two-phase patch strategy, while necessary for compatibility, created an extended window during which attackers could exploit systems that had not yet enabled enforcement mode. Organizations should not delay applying Phase 1 patches or enabling protective registry settings.

References

Frequently asked questions

What is CVE-2020-1472?
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
How severe is CVE-2020-1472?
CVE-2020-1472 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2020-1472 being actively exploited?
Yes. CVE-2020-1472 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2020-1472?
CVE-2020-1472 primarily affects Microsoft Windows Server 1903. In total, 23 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2020-1472?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2020-1472 have an EU (EUVD) identifier?
Yes. CVE-2020-1472 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-12346. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2020-1472 published?
CVE-2020-1472 was published on 2020-08-17 and last updated on 2026-06-17.

References

Affected products (23)

More vulnerabilities in Microsoft Windows Server 1903

All CVEs affecting Microsoft Windows Server 1903 →