CVE-2020-1472: Netlogon Elevation of Privilege Vulnerability

Overview

Severity: Critical (CVSS 10)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Category: Elevation of Privilege
Exploit Status: Not Exploited
Exploitation Likelihood: More Likely
Patch Tuesday: 2020-Aug
Released: 2020-08-11
Last Updated: 2021-02-11
EPSS Score: 94.38% (percentile: 100.0%)
CISA KEV: Listed — due 2022-05-03

Description

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

FAQ

Do I need to take further steps to be protected from this vulnerability? Yes. Installing the August 11, 2020 updates on the domain controllers protects the Windows-based machine accounts, the trust accounts, and the domain controller accounts. Active Directory machine accounts for domain joined third-party devices are not protected until enforcement mode is deployed. Machine accounts are also not protected if they are added to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. See How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 for more details. If I install the updates and take no further action, what will be the impact? During the initial deployment phase starting with the updates released August 11, 2020 or later, the updates can be installed without added further action, and Windows devices and Domain Controllers (DCs) will be protected from this vulnerability. Third-party devices will be allowed to make vulnerable connections and might allow attack until enforcement mode is enabled. Organizations will need to monitor for and address potential issues before the Q1 2021 DC enforcement phase or risk devices being denied access. Note Any device in the allow list will be allowed to use vulnerable connections and could expose your environment to the attack. For more information, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. How does Microsoft plan to address this vulnerability? Microsoft is addressing this vulnerability in a phased rollout. The initial deployment phase starts with the Windows updates released on August 11, 2020. The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions. The second phase, planned for a Q1 2021 release, marks th

Known Exploits (68)

Microsoft Netlogon Privilege Escalation Vulnerability — added 2025-12-07T15:29:47Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2025-12-06T10:17:38Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2024-06-06T16:44:38Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2024-01-25T22:11:57Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2024-01-07T04:27:17Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2023-12-12T15:22:21+08:00
Microsoft Netlogon Privilege Escalation Vulnerability — added 2023-08-14T02:40:18Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2023-06-19T14:38:37+08:00
Microsoft Netlogon Privilege Escalation Vulnerability — added 2023-04-30T16:41:55Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2023-02-18T14:52:17Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-11-22T03:35:47Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-09-30T08:59:31Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-09-30T00:03:12Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-08-31T06:01:02Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-03-29T22:43:50Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-03-03T02:00:21Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-02-22T03:33:38Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-02-22T03:33:24Z
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-01-18T01:59:35+08:00
Microsoft Netlogon Privilege Escalation Vulnerability — added 2022-01-11T19:08:48+08:00

Detection & Weaponization (3 sources)

Maturity: Detection

Metasploit modules: Netlogon Weak Cryptographic Authentication
Sigma rules: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC, Potential Zerologon (CVE-2020-1472) Exploitation, Vulnerable Netlogon Secure Channel Connection Allowed
GitHub PoC: 74 repositories

Affected Products (14)

Windows

Windows Server, version 2004 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)

ESU

Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)

Security Updates (11)

Acknowledgments

Tom Tervoort of <a href=https://www.secura.com/>Secura</a>, Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)

Revision History

2020-08-11: Information published.
2020-08-11: Updated one or more CVSS scores for the affected products. This is an informational change only.
2020-09-28: Updated FAQ to announce that How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (https://support.microsoft.com/kb/4557222) has been updated to provide clarity on new questions and to reinforce actions customers need to take to ensure they are protected.
2020-10-29: Updated FAQ to clarify how the updates released on August 11, 2020 provide protection from this vulnerability, and to emphasize that customers need to take further action to fully protect their environments.
2021-02-11: Microsoft is announcing the release of the second phase of Windows security updates to address this vulnerability. February 9, 2021 and superseding Windows Updates enable enforcement mode on all supported Windows Domain Controllers and will block vulnerable connections from non-compliant devices unless manually added to a security group referenced in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy (https://support.microsoft.com/en-us/help/4557222#theGroupPolicy). Adding hostnames to the exception policy allows attackers to impersonate such accounts. Administrators will not be able to disable or override enforcement mode. For more information about enforcement mode, see (1.) Step 3b: Enforcement Phase in https://support.microsoft.com/kb/4557222 and (2.) the FAQ section of this CVE-2020-1472. Microsoft strongly recommends that customers install the February updates to be fully protected from this vulnerability. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.