CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 9 min read

CVE-2020-1472 Explained: Zerologon and Instant Active Directory Domain Compromise

A cryptographic flaw in Microsoft's Netlogon protocol that allows an unauthenticated attacker on your network to become Domain Admin in approximately 10 seconds. No credentials. No prior access. Just network connectivity to a domain controller.

Sources:Secura Research (Tom Tervoort)|Microsoft Security Advisory|CISA Alert AA20-283A|NIST NVD
10.0
CVSS Score
~10s
Time to domain compromise
0
Credentials required
2020
Patched August 11

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2020-1472, named Zerologon by its discoverer Tom Tervoort of Secura, is a cryptographic vulnerability in Microsoft's Netlogon Remote Protocol (MS-NRPC). Patched on August 11, 2020, the full technical details and working proof-of-concept were withheld until September 14, 2020, at which point CISA issued an emergency directive giving federal agencies 72 hours to patch all domain controllers.

The vulnerability exists in the AES-CFB8 mode implementation used to authenticate Netlogon sessions. A flaw in how the initialization vector is handled allows an attacker to forge a valid Netlogon authentication message using an all-zero key. This allows an unauthenticated attacker with network access to a domain controller to impersonate any computer account, including domain controllers themselves, and set machine account passwords to empty strings.

From any internal network foothold, an attacker can become Domain Administrator in approximately 10 seconds with no credentials.

The Cryptographic Flaw Behind CVE-2020-1472

Netlogon uses AES in CFB8 mode to encrypt authentication handshake messages. CFB8 mode requires a random 16-byte initialization vector (IV) for each encryption operation to ensure ciphertext unpredictability. Microsoft's Netlogon implementation uses an all-zero IV, every single time.

AES-CFB8 with an all-zero IV and an all-zero plaintext produces an all-zero ciphertext with probability 1/256. This means that if an attacker sends 256 authentication attempts using all-zero client credentials, statistically one will produce an all-zero server credential, which the server accepts as valid.

With a forged valid authentication session established, the attacker calls NetrServerPasswordSet2 to set the Domain Controller machine account password to an empty string. With an empty DC machine account password, the attacker authenticates as the DC and performs a DCSync attack to dump all Active Directory credentials.

1

Send ~256 Authentication Attempts

Attacker sends Netlogon authentication requests with all-zero client credentials against the domain controller. Statistically completes in under 3 seconds.

2

Authentication Bypass Succeeds

One of the ~256 attempts produces a valid session due to the AES-CFB8 IV flaw. The domain controller accepts the forged authentication.

3

Set DC Machine Account Password to Empty

Using the forged session, attacker calls NetrServerPasswordSet2 to reset the Domain Controller machine account password to empty.

4

Authenticate as Domain Controller

Attacker authenticates to Active Directory using the DC machine account with the empty password, gaining DC-level privileges.

5

DCSync to Dump All Credentials

Attacker performs a DCSync attack via Impacket's secretsdump.py or Mimikatz to replicate all Active Directory hashes, including the krbtgt account.

6

Golden Ticket, Full Domain Compromise

With the krbtgt hash, attacker forges Kerberos Golden Tickets for any account on the domain, achieving permanent, persistent domain administrator access.

Affected Systems and Patch Guidance

CVE-2020-1472 affects all Windows Server versions used as domain controllers: Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and versions 1903/1909/2004. Member servers and workstations are not directly vulnerable, only domain controllers.

Microsoft implemented a two-phase rollout: the August 2020 patch enables logging (Event ID 5829 identifies non-compliant devices). The February 2021 enforcement mode update blocks all vulnerable Netlogon connections. Both patches are required for full protection.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

Zerologon is a 10-second domain compromise from any internal network position. The August 2020 patch is over four years old, any unpatched domain controller is an organizational catastrophe waiting to happen. Apply the August 2020 and February 2021 security updates to all domain controllers, enable enforcement mode immediately, and review Event ID 5829 logs to identify any remaining non-compliant devices.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is Zerologon (CVE-2020-1472)?

Zerologon is a CVSS 10.0 cryptographic vulnerability in Microsoft's Netlogon Remote Protocol. A flaw in the AES-CFB8 initialization vector allows an attacker with internal network access to forge authentication in ~256 attempts, then reset a Domain Controller's machine account password to empty and achieve full domain compromise in approximately 10 seconds.

How do I fix CVE-2020-1472?

Apply both the August 2020 patch and the February 2021 enforcement mode update to all domain controllers. Enable enforcement mode immediately via Group Policy. Review Event ID 5829 on DCs to identify non-compliant devices still using vulnerable Netlogon channels.

Does Zerologon require network access to exploit?

Yes. CVE-2020-1472 requires network connectivity to a domain controller's Netlogon service (typically on an internal network). It cannot be exploited remotely from the internet unless Netlogon is exposed externally, which is not a standard configuration.

What is a DCSync attack and how does Zerologon enable it?

DCSync is an Active Directory credential dumping technique that impersonates a Domain Controller to request replication of all password hashes via the Microsoft Directory Replication Service Remote Protocol (MS-DRSR). With Zerologon, an attacker first resets a Domain Controller's machine account password to empty, then authenticates as that DC, and runs DCSync to replicate all AD hashes including the krbtgt account. The krbtgt hash enables forging Kerberos Golden Tickets, providing permanent administrator access to every service in the domain.

How can Zerologon exploitation be detected in Windows Event Logs?

After the August 2020 patch, Event ID 5829 is generated when a device attempts a vulnerable Netlogon secure channel connection. Monitor for Event ID 4742 (A computer account was changed) on domain controllers, particularly unexpected password changes to DC machine accounts, this is the direct indicator of Zerologon exploitation. Also monitor for DCSync activity using Event ID 4662 (An operation was performed on an object) with GUIDs matching AD replication permissions. Baseline normal DC-to-DC replication activity before alerting to reduce false positives.

Does Zerologon affect Azure Active Directory or Entra ID?

No. CVE-2020-1472 affects the Windows Netlogon Remote Protocol (MS-NRPC) used by on-premises Active Directory domain controllers. Azure Active Directory (now Microsoft Entra ID) uses a completely different authentication architecture and is not affected. Organizations that have migrated fully to Azure AD or Entra ID cloud-only authentication are not vulnerable. However, hybrid environments with on-premises AD synced to Azure AD remain vulnerable at the on-premises AD layer.

Sources & references

  1. Secura Research (Tom Tervoort)
  2. Microsoft Security Advisory
  3. CISA Alert AA20-283A
  4. NIST NVD

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.