ZeroLogon - CVE-2020-1472 Exploit Report

ZeroLogon (CVE-2020-1472) is a critical elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol (MS-NRPC). Disclosed in 2020, it allows unauthenticated attackers to impersonate any domain-joined computer, including Domain Controllers, and change their machine passwords to empty values—resulting in complete domain takeover.

The vulnerability stems from an insecure use of AES-CFB8 encryption in the Netlogon protocol. Due to the use of a fixed IV (initialization vector) and flawed validation, attackers can send specially crafted authentication messages that yield a 1-in-256 chance of success per attempt. After multiple tries, this enables setting the domain controller’s password to an empty string.

• T1068 – Exploitation for Privilege Escalation
• T1078 – Valid Accounts
• T1203 – Exploitation for Client Execution
• T1003.006 – Credential Dumping: DCSync
• T1484.001 – Domain Policy Modification: Group Policy Modification

View this mapping using official MITRE ATT&CK Navigator

• Apply Microsoft patches for CVE-2020-1472 released August–September 2020
• Monitor Netlogon traffic for connections lacking secure channel establishment
• Audit domain controller machine account password resets
• Deploy Microsoft’s Domain Controller Enforcement Mode (Feb 2021 onward)
• Use EDR tools to flag repeated failed Netlogon authentications

• NVD: CVE-2020-1472
• Secura Labs: Technical Analysis
• MITRE ATT&CK Framework
• CISA Guidance