CVE-2020-1472 Explained: Zerologon and Instant Active Directory Domain Compromise
A cryptographic flaw in Microsoft's Netlogon protocol that allows an unauthenticated attacker on your network to become Domain Admin in approximately 10 seconds. No credentials. No prior access. Just network connectivity to a domain controller.
Founder & Cybersecurity Evangelist
CVE-2020-1472, named Zerologon by its discoverer Tom Tervoort of Secura, is a cryptographic vulnerability in Microsoft's Netlogon Remote Protocol (MS-NRPC). Patched on August 11, 2020, the full technical details and working proof-of-concept were withheld until September 14, 2020 — at which point CISA issued an emergency directive giving federal agencies 72 hours to patch all domain controllers.
The vulnerability exists in the AES-CFB8 mode implementation used to authenticate Netlogon sessions. A flaw in how the initialization vector is handled allows an attacker to forge a valid Netlogon authentication message using an all-zero key. This allows an unauthenticated attacker with network access to a domain controller to impersonate any computer account — including domain controllers themselves — and set machine account passwords to empty strings.
From any internal network foothold, an attacker can become Domain Administrator in approximately 10 seconds with no credentials.
The Cryptographic Flaw Behind CVE-2020-1472
Netlogon uses AES in CFB8 mode to encrypt authentication handshake messages. CFB8 mode requires a random 16-byte initialization vector (IV) for each encryption operation to ensure ciphertext unpredictability. Microsoft's Netlogon implementation uses an all-zero IV — every single time.
AES-CFB8 with an all-zero IV and an all-zero plaintext produces an all-zero ciphertext with probability 1/256. This means that if an attacker sends 256 authentication attempts using all-zero client credentials, statistically one will produce an all-zero server credential — which the server accepts as valid.
With a forged valid authentication session established, the attacker calls NetrServerPasswordSet2 to set the Domain Controller machine account password to an empty string. With an empty DC machine account password, the attacker authenticates as the DC and performs a DCSync attack to dump all Active Directory credentials.
Send ~256 Authentication Attempts
Attacker sends Netlogon authentication requests with all-zero client credentials against the domain controller. Statistically completes in under 3 seconds.
Authentication Bypass Succeeds
One of the ~256 attempts produces a valid session due to the AES-CFB8 IV flaw. The domain controller accepts the forged authentication.
Set DC Machine Account Password to Empty
Using the forged session, attacker calls NetrServerPasswordSet2 to reset the Domain Controller machine account password to empty.
Authenticate as Domain Controller
Attacker authenticates to Active Directory using the DC machine account with the empty password — gaining DC-level privileges.
DCSync to Dump All Credentials
Attacker performs a DCSync attack via Impacket's secretsdump.py or Mimikatz to replicate all Active Directory hashes, including the krbtgt account.
Golden Ticket — Full Domain Compromise
With the krbtgt hash, attacker forges Kerberos Golden Tickets for any account on the domain — achieving permanent, persistent domain administrator access.
Affected Systems and Patch Guidance
CVE-2020-1472 affects all Windows Server versions used as domain controllers: Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, and versions 1903/1909/2004. Member servers and workstations are not directly vulnerable — only domain controllers.
Microsoft implemented a two-phase rollout: the August 2020 patch enables logging (Event ID 5829 identifies non-compliant devices). The February 2021 enforcement mode update blocks all vulnerable Netlogon connections. Both patches are required for full protection.
Apply August 2020 and February 2021 updates to all DCs
Both patches are required. The August patch adds logging and partial enforcement; the February patch enforces secure Netlogon for all devices without exception.
Review Event ID 5829 warnings
After the August patch, check the System event log on DCs for Event ID 5829 — these identify non-compliant devices still using vulnerable Netlogon channels.
Enable DC enforcement mode immediately
Enable enforcement mode via Group Policy > Security Options: 'Domain controller: Allow vulnerable Netlogon secure channel connections' = Disabled. Don't wait for February's auto-enforcement.
Hunt for suspicious machine account password changes
Review Active Directory for machine accounts with recent unexpected password changes or blank passwords as indicators of prior Zerologon exploitation.
The bottom line
Zerologon is a 10-second domain compromise from any internal network position. The August 2020 patch is over four years old — any unpatched domain controller is an organizational catastrophe waiting to happen. Apply the August 2020 and February 2021 security updates to all domain controllers, enable enforcement mode immediately, and review Event ID 5829 logs to identify any remaining non-compliant devices.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.