The Zerologon Vulnerability Allows Attackers to Hijack Windows Domain Controller

‘Zerologon’, a vulnerability in Netlogon that could allow attackers to hijack Windows domain controller. The attack requires local network access, and therefore cannot be performed directly over the internet. However, once an attacker has a foothold in the target environment, they can change the administrator password on any Windows Domain Controller they can reach. Exploit scripts are already available on GitHub hence; organizations are strongly encouraged to apply patches provided by Microsoft immediately.

“The disclosure of the ‘Zerologon’ vulnerability, identified as CVE-2020-1472, is a significant finding, as an attacker could exploit this flaw to reset the password of the domain administrator on an organization’s domain controller. This scenario is a game over situation for any organization.

The impact of the flaw is limited to an attacker who has already gained a foothold inside an organization’s network. Despite this limitation, an attacker could leverage any number of existing unpatched vulnerabilities to breach their target network before pivoting to compromise the vulnerable domain controller. Additionally, we foresee this flaw being a compelling addition to the toolkit of ransomware gangs, who have already wreaked havoc on private organizations, educational institutions and governments over the last few years.

As we’ve already seen several exploit scripts for this vulnerability published to GitHub, which provides a blueprint for defenders and attackers, we strongly encourage organizations to apply the patches provided by Microsoft immediately. If your domain controllers are running unsupported versions that are no longer receiving security updates from Microsoft, it is imperative to upgrade those as soon as possible, said,” Satnam Narang, Staff Research Engineer Security Response.