Back to KEVs

CVE-2020-1472

Netlogon Elevation of Privilege Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
November 04, 2019
Published Date
August 17, 2020
Last Updated
October 21, 2025
Vendor
Microsoft
Product
Windows Server version 2004, Windows Server 2019, Windows Server 2019 (Server Core installation), Windows Server, version 1909 (Server Core installation), Windows Server, version 1903 (Server Core installation), Windows Server 2016, Windows Server 2016 (Server Core installation), Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation), Windows Server 2012, Windows Server 2012 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation), Windows Server version 20H2
Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Tags
windows cisa malware ransomware microsoft

CVSS Scores

CVSS v3.1

5.5 - MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-11-03 00:00:00 UTC) Source
Used in Malware
Yes (added 2021-11-03 00:00:00 UTC) Source

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 https://www.kb.cert.org/vuls/id/490028 http://www.openwall.com/lists/oss-security/2020/09/17/2 https://usn.ubuntu.com/4510-1/ https://usn.ubuntu.com/4510-2/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/ http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/ https://usn.ubuntu.com/4559-1/ https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html https://security.gentoo.org/glsa/202012-24 https://www.oracle.com/security-alerts/cpuApr2021.html http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html https://www.synology.com/security/advisory/Synology_SA_20_21 http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC
CISA 2021-11-03 00:00:00 UTC

Recent Mentions

Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.Key takeawaysThe "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability. Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs. Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations,...

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC

Type: github • Created: 2024-01-25 22:11:57 UTC • Stars: 2

Akash7350/CVE-2020-1472

Type: github • Created: 2023-04-30 16:41:55 UTC • Stars: 2

dr4g0n23/CVE-2020-1472

Type: github • Created: 2022-11-22 03:35:47 UTC • Stars: 0

Anonymous-Family/CVE-2020-1472

Type: github • Created: 2022-03-03 02:00:21 UTC • Stars: 0

Test tool for CVE-2020-1472

itssmikefm/CVE-2020-1472

Type: github • Created: 2021-04-22 18:51:09 UTC • Stars: 0

SaharAttackit/CVE-2020-1472

Type: github • Created: 2020-12-23 08:12:21 UTC • Stars: 0

CPO-EH/CVE-2020-1472_ZeroLogonChecker

Type: github • Created: 2020-10-17 00:14:08 UTC • Stars: 5

C# Vulnerability Checker for CVE-2020-1472 Aka Zerologon

WiIs0n/Zerologon_CVE-2020-1472

Type: github • Created: 2020-09-29 18:45:44 UTC • Stars: 11

POC for checking multiple hosts for Zerologon vulnerability

Whippet0/CVE-2020-1472

Type: github • Created: 2020-09-28 09:54:31 UTC • Stars: 0

CVE-2020-1472

striveben/CVE-2020-1472

Type: github • Created: 2020-09-26 08:31:47 UTC • Stars: 5

grupooruss/CVE-2020-1472

Type: github • Created: 2020-09-24 20:05:21 UTC • Stars: 0

CVE 2020-1472 Script de validación

hectorgie/CVE-2020-1472

Type: github • Created: 2020-09-19 23:15:41 UTC • Stars: 0

sv3nbeast/CVE-2020-1472

Type: github • Created: 2020-09-18 00:02:26 UTC • Stars: 10

CVE-2020-1472复现时使用的py文件整理打包

victim10wq3/CVE-2020-1472

Type: github • Created: 2020-09-16 14:25:54 UTC • Stars: 0

npocmak/CVE-2020-1472

Type: github • Created: 2020-09-16 09:54:09 UTC • Stars: 1

https://github.com/dirkjanm/CVE-2020-1472

murataydemir/CVE-2020-1472

Type: github • Created: 2020-09-16 09:22:30 UTC • Stars: 1

[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon)

CanciuCostin/CVE-2020-1472

Type: github • Created: 2020-09-16 07:25:22 UTC • Stars: 2

CVE-2020-1472 - Zero Logon vulnerability Python implementation

Fa1c0n35/CVE-2020-1472

Type: github • Created: 2020-09-16 03:54:27 UTC • Stars: 0

jiushill/CVE-2020-1472

Type: github • Created: 2020-09-15 16:36:40 UTC • Stars: 1

CVE-2020-1472

k8gege/CVE-2020-1472-EXP

Type: github • Created: 2020-09-15 16:10:21 UTC • Stars: 57

Ladon Moudle CVE-2020-1472 Exploit 域控提权神器

thatonesecguy/zerologon-CVE-2020-1472

Type: github • Created: 2020-09-15 14:29:24 UTC • Stars: 8

PoC for Zerologon (CVE-2020-1472) - Exploit

NAXG/CVE-2020-1472

Type: github • Created: 2020-09-15 12:11:49 UTC • Stars: 2

CVE-2020-1472复现流程

0xkami/CVE-2020-1472

Type: github • Created: 2020-09-15 10:25:47 UTC • Stars: 2

CVE-2020-1472漏洞复现过程

VoidSec/CVE-2020-1472

Type: github • Created: 2020-09-14 16:57:49 UTC • Stars: 383

Exploit Code for CVE-2020-1472 aka Zerologon

dirkjanm/CVE-2020-1472

Type: github • Created: 2020-09-14 16:56:51 UTC • Stars: 1223

PoC for Zerologon - all research credits go to Tom Tervoort of Secura

cube0x0/CVE-2020-1472

Type: github • Created: 2020-09-14 16:52:37 UTC • Stars: 38

SecuraBV/CVE-2020-1472

Type: github • Created: 2020-09-08 08:58:37 UTC • Stars: 1768

Test tool for CVE-2020-1472

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Added to KEVIntel