Back to KEVs

CVE-2020-1472

Netlogon Elevation of Privilege Vulnerability

Basic Information

CVE State: PUBLISHED
Reserved Date: November 04, 2019
Published Date: August 17, 2020
Last Updated: February 04, 2025
Vendor: Microsoft
Product: Windows Server version 2004, Windows Server 2019, Windows Server 2019 (Server Core installation), Windows Server, version 1909 (Server Core installation), Windows Server, version 1903 (Server Core installation), Windows Server 2016, Windows Server 2016 (Server Core installation), Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation), Windows Server 2012, Windows Server 2012 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation), Windows Server version 20H2
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

CVSS Scores

CVSS v3.1

5.5 - MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2020-11-16 17:24:25 UTC) Source
Used in Malware: Yes (added 2021-11-03 00:00:00 UTC) Source

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 https://www.kb.cert.org/vuls/id/490028 http://www.openwall.com/lists/oss-security/2020/09/17/2 https://usn.ubuntu.com/4510-1/ https://usn.ubuntu.com/4510-2/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/ http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/ https://usn.ubuntu.com/4559-1/ https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html https://security.gentoo.org/glsa/202012-24 https://www.oracle.com/security-alerts/cpuApr2021.html http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html https://www.synology.com/security/advisory/Synology_SA_20_21 http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC

Type: github • Created: 2024-01-25 22:11:57 UTC • Stars: 2

Akash7350/CVE-2020-1472

Type: github • Created: 2023-04-30 16:41:55 UTC • Stars: 2

Anonymous-Family/CVE-2020-1472

Type: github • Created: 2022-03-03 02:00:21 UTC • Stars: 0

Test tool for CVE-2020-1472

itssmikefm/CVE-2020-1472

Type: github • Created: 2021-04-22 18:51:09 UTC • Stars: 0

b1ack0wl/CVE-2020-1472

Type: github • Created: 2020-11-16 17:24:25 UTC • Stars: 1

puckiestyle/CVE-2020-1472

Type: github • Created: 2020-10-21 09:42:34 UTC • Stars: 0

CPO-EH/CVE-2020-1472_ZeroLogonChecker

Type: github • Created: 2020-10-17 00:14:08 UTC • Stars: 5

C# Vulnerability Checker for CVE-2020-1472 Aka Zerologon

WiIs0n/Zerologon_CVE-2020-1472

Type: github • Created: 2020-09-29 18:45:44 UTC • Stars: 11

POC for checking multiple hosts for Zerologon vulnerability

Whippet0/CVE-2020-1472

Type: github • Created: 2020-09-28 09:54:31 UTC • Stars: 0

CVE-2020-1472

striveben/CVE-2020-1472

Type: github • Created: 2020-09-26 08:31:47 UTC • Stars: 5

hectorgie/CVE-2020-1472

Type: github • Created: 2020-09-19 23:15:41 UTC • Stars: 0

sv3nbeast/CVE-2020-1472

Type: github • Created: 2020-09-18 00:02:26 UTC • Stars: 10

CVE-2020-1472复现时使用的py文件整理打包

victim10wq3/CVE-2020-1472

Type: github • Created: 2020-09-16 14:25:54 UTC • Stars: 0

npocmak/CVE-2020-1472

Type: github • Created: 2020-09-16 09:54:09 UTC • Stars: 1

https://github.com/dirkjanm/CVE-2020-1472

murataydemir/CVE-2020-1472

Type: github • Created: 2020-09-16 09:22:30 UTC • Stars: 1

[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon)

CanciuCostin/CVE-2020-1472

Type: github • Created: 2020-09-16 07:25:22 UTC • Stars: 2

CVE-2020-1472 - Zero Logon vulnerability Python implementation

Fa1c0n35/CVE-2020-1472

Type: github • Created: 2020-09-16 03:54:27 UTC • Stars: 0

jiushill/CVE-2020-1472

Type: github • Created: 2020-09-15 16:36:40 UTC • Stars: 1

CVE-2020-1472

k8gege/CVE-2020-1472-EXP

Type: github • Created: 2020-09-15 16:10:21 UTC • Stars: 57

Ladon Moudle CVE-2020-1472 Exploit 域控提权神器

thatonesecguy/zerologon-CVE-2020-1472

Type: github • Created: 2020-09-15 14:29:24 UTC • Stars: 8

PoC for Zerologon (CVE-2020-1472) - Exploit

NAXG/CVE-2020-1472

Type: github • Created: 2020-09-15 12:11:49 UTC • Stars: 2

CVE-2020-1472复现流程

0xkami/CVE-2020-1472

Type: github • Created: 2020-09-15 10:25:47 UTC • Stars: 2

CVE-2020-1472漏洞复现过程

VoidSec/CVE-2020-1472

Type: github • Created: 2020-09-14 16:57:49 UTC • Stars: 383

Exploit Code for CVE-2020-1472 aka Zerologon

dirkjanm/CVE-2020-1472

Type: github • Created: 2020-09-14 16:56:51 UTC • Stars: 1223

PoC for Zerologon - all research credits go to Tom Tervoort of Secura

cube0x0/CVE-2020-1472

Type: github • Created: 2020-09-14 16:52:37 UTC • Stars: 38

SecuraBV/CVE-2020-1472

Type: github • Created: 2020-09-08 08:58:37 UTC • Stars: 1768

Test tool for CVE-2020-1472