What Is CVE-2020-1472 Zerologon?

Updated on August 29, 2025

CVE-2020-1472, widely known as Zerologon, represents one of the most critical privilege escalation vulnerabilities discovered in Microsoft’s Active Directory infrastructure. This vulnerability exploits a fundamental flaw in the Microsoft Netlogon Remote Protocol (NRPC), allowing an unauthenticated attacker to take complete control of a Windows Active Directory domain within minutes.

The simplicity and devastating impact of Zerologon made it an immediate target for exploitation in the wild. Security researchers demonstrated that an attacker could compromise an entire domain with just basic network access and publicly available exploit code. This posed an existential threat to unpatched Active Directory environments worldwide.

Understanding Zerologon is crucial for IT professionals managing Windows domains. The vulnerability highlights how a single cryptographic implementation flaw can undermine an entire network’s security posture.

Definition and Core Concepts

CVE-2020-1472 is a critical vulnerability that exploits a cryptographic flaw in the Netlogon Remote Protocol. The vulnerability allows an attacker to reset the password of a domain controller’s computer account to a blank value. This effectively grants full administrative control over the entire domain.

Netlogon Remote Protocol (NRPC)

The Netlogon Remote Protocol serves as a cornerstone of Windows domain authentication. NRPC handles user and machine authentication across the domain. It also manages secure channels between clients and domain controllers.

Domain controllers rely on NRPC to verify the identity of computers and users attempting to access network resources. This protocol operates transparently in the background of most Windows domain operations.

Secure Channel Authentication

NRPC establishes secure channels between clients and domain controllers for encrypted communication. The vulnerability specifically targets the handshake process that creates the session key for this channel.

The secure channel mechanism was designed to prevent unauthorized access to domain resources. However, the cryptographic implementation contained a fatal flaw that Zerologon exploits.

How Zerologon Works

The Zerologon vulnerability exploits a specific weakness in the cryptographic authentication handshake of the NRPC protocol. Understanding this mechanism is essential for IT professionals implementing detection and mitigation strategies.

The Cryptographic Flaw

The NRPC protocol uses AES-CFB8 encryption to compute session keys during the authentication handshake. The implementation contains a critical flaw where setting the client_credential field to all zeros results in predictable encryption output.

When the client_credential is filled with zeros, the AES-CFB8 encryption algorithm produces an all-zero value. This occurs due to how the encryption mode processes the initialization vector and plaintext data.

Authentication Bypass Process

An attacker exploits this flaw by sending multiple authentication attempts with zero-filled client credentials. The probabilistic nature of the vulnerability means each attempt has a 1-in-256 chance of succeeding.

An attacker typically sends up to 256 authentication requests in rapid succession. Statistical probability ensures that at least one attempt will successfully authenticate with an extremely high likelihood.

The bypass process requires no special tools or advanced technical knowledge. Publicly available exploit code can automate the entire attack sequence.

Domain Controller Password Reset

Once authenticated through the bypass, the attacker gains access to privileged NRPC functions. These functions include the ability to remotely reset computer account passwords.

The attacker targets the domain controller’s own computer account and resets its password to a blank string. This action effectively removes the primary authentication barrier protecting the domain controller.

With a null password, the attacker can authenticate directly to the domain controller and assume its identity. This grants complete administrative control over the entire Active Directory domain.

Impact and Use Cases

A successful Zerologon attack results in complete domain compromise with devastating consequences for the target organization.

Privilege Escalation

The vulnerability transforms an unauthenticated network attacker into a domain administrator in minutes. This represents the most severe form of privilege escalation possible in a Windows environment.

Unlike other privilege escalation attacks that require existing access or user interaction, Zerologon needs only network connectivity to a domain controller. The attack bypasses all traditional authentication mechanisms.

Complete Domain Compromise

Once the domain controller password is reset, attackers can perform DCSync attacks using tools like Mimikatz. DCSync operations dump all user password hashes from the Active Directory database.

This access includes domain administrator accounts, service accounts, and all user credentials stored in the domain. The attacker effectively owns every account in the organization.

The compromised credentials enable persistent access even after the initial vulnerability is patched. Attackers can create backdoor accounts or extract credentials for offline cracking.

Lateral Movement and Ransomware

Ransomware operators quickly integrated Zerologon into their attack chains. The vulnerability provides rapid initial access and facilitates lateral movement across compromised networks.

The complete domain compromise allows attackers to disable security tools, extract sensitive data, and deploy ransomware across all domain-joined systems simultaneously. Recovery becomes significantly more complex when the entire domain infrastructure is compromised.

Detection and Monitoring

Organizations can implement several detection mechanisms to identify Zerologon exploitation attempts and successful compromises.

Authentication Anomaly Detection

Monitor domain controllers for unusually high volumes of failed Netlogon authentication requests from single IP addresses. Zerologon exploits typically generate hundreds of authentication attempts in rapid succession.

Successful exploitation often shows a pattern of many failed attempts followed immediately by successful authentication with unusual characteristics. Look for authentication events where the client credential appears as all zeros.

Account Activity Monitoring

Watch for unexpected password reset events on domain controller computer accounts. These events should trigger immediate investigation as they rarely occur during normal operations.

Monitor for DCSync operations and unusual replication requests that could indicate credential dumping activities. These actions typically follow successful Zerologon exploitation.

Mitigation and Remediation

Complete mitigation requires applying Microsoft’s security patches and implementing additional monitoring controls.

Patching Requirements

Microsoft released the initial patch for CVE-2020-1472 in August 2020 as part of the monthly security updates. The company implemented a phased approach with progressive enforcement mechanisms.

The February 2021 enforcement update requires all domain controllers to have compatible patches installed. Organizations must patch all domain controllers before this deadline to maintain proper domain functionality.

Apply patches to all domain controllers simultaneously when possible. Partial patching can create compatibility issues and leave attack vectors open.

Ongoing Monitoring

Continuously monitor domain controllers for suspicious Netlogon activity even after patching. Attackers may attempt to exploit similar vulnerabilities or use alternative attack methods.

Implement network segmentation to limit direct network access to domain controllers. This reduces the attack surface available to potential exploiters.

Key Terms Appendix

1. CVE-2020-1472: The official Common Vulnerabilities and Exposures identifier for the Zerologon vulnerability.
2. Zerologon: The common name for CVE-2020-1472, referring to the use of zero-filled credentials in the exploit.
3. Netlogon Remote Protocol (NRPC): The Windows protocol responsible for domain authentication that contains the vulnerability.
4. DCSync Attack: A post-exploitation technique that dumps all password hashes from a domain controller by mimicking domain controller replication requests.
5. Privilege Escalation: The process of gaining higher-level access privileges, in this case from unauthenticated to domain administrator.