Skip to main content
Osmond van Hemert
  1. Blog/

Zerologon — The 10-Out-of-10 Vulnerability That Should Terrify You

·822 words·4 mins
Security Cybersecurity
Osmond van Hemert
Author
Osmond van Hemert
Table of Contents
Breaches & Zero-Days - This article is part of a series.
Part : The Zero-Day Treadmill — Why Patch Tuesday Still Matters in 2025
Part : The Spring 2025 Exploit Wave — Fortinet, Ivanti, and the Perimeter Problem
Part : Salt Typhoon and the Treasury Breach — State-Sponsored Hacking Hits Home
Part : Salt Typhoon — The Telecom Hack That Should Worry Every Engineer
Part : Salt Typhoon and the Telecom Breach — Infrastructure Under Siege
Part : Operation Cronos — The LockBit Takedown and What It Means for Cybersecurity
Part : Jenkins Under Fire — CVE-2024-23897 and the Cost of Legacy Infrastructure
Part : ICBC Ransomware Attack — When the World's Largest Bank Gets Hit
Part : HTTP/2 Rapid Reset — The Zero-Day That Hit Everyone
Part : The MGM Resorts Hack — A $100M Lesson in Social Engineering
Part : Intel's Downfall Vulnerability — Another Speculative Execution Headache
Part : ESXiArgs Ransomware — A Wake-Up Call for VMware Infrastructure
Part : LastPass Breach Goes From Bad to Catastrophic — Customer Vaults Compromised
Part : OpenSSL's Critical Vulnerability — Lessons From a Week of Preparation
Part : The Uber Breach — When MFA Isn't Enough
Part : Twilio's Phishing Breach — Why SMS-Based 2FA Is Living on Borrowed Time
Part : Follina — The Zero-Day That Turns a Word Doc Into a Weapon
Part : Spring4Shell Is Here — Assessing the Real Risk of CVE-2022-22965
Part : Confluence Under Siege — CVE-2021-26084 and the Self-Hosted Software Problem
Part : T-Mobile's Massive Data Breach — A Wake-Up Call for API Security
Part : Pegasus Spyware — Zero-Click Exploits and What They Mean for Software Security
Part : Colonial Pipeline Ransomware — When Cybersecurity Meets Critical Infrastructure
Part : FireEye Breach — When the Red Team Gets Red-Teamed
Part : This Article
Part : The Twitter Bitcoin Hack — A Social Engineering Masterclass

Every few years, a vulnerability comes along that makes even jaded security professionals sit up straight. CVE-2020-1472, which researchers at Secura have dubbed “Zerologon,” is one of those. It scores a perfect 10.0 on the CVSS scale — the maximum severity rating — and for once, the score isn’t hyperbole.

The vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise an entire Active Directory domain. No credentials required. No user interaction needed. Just a few carefully crafted network packets, and you’re the domain admin. If that doesn’t get your attention, I’m not sure what will.

The Technical Breakdown
#

At its core, Zerologon is a cryptographic flaw in Microsoft’s Netlogon Remote Protocol (MS-NRPC), the authentication protocol used for communication between domain-joined machines and domain controllers.

The protocol uses AES-CFB8 encryption for a challenge-response authentication handshake. The problem? The implementation sets the initialization vector (IV) to all zeros. In AES-CFB8 mode, this means that encrypting a plaintext of all zeros will produce a ciphertext of all zeros with a probability of 1-in-256.

An attacker can simply attempt authentication repeatedly with a credential consisting of all zeros. On average, it takes about 256 attempts — which can be completed in roughly three seconds — to successfully authenticate. Once in, the attacker can use the Netlogon protocol to set the computer account password of the domain controller itself.

It’s the kind of vulnerability that makes you wonder how it persisted for so long. The cryptographic issue is, in hindsight, almost textbook. AES-CFB8 with a fixed zero IV is a well-understood weakness. But these things hide in protocols that were designed decades ago and have been layered with complexity over the years.

Why This Is Worse Than It Sounds
#

Let me count the ways this is particularly bad:

No authentication required. The attacker doesn’t need any credentials, domain membership, or prior access to the network. They just need to be able to reach a domain controller on TCP port 135/445.

It’s fast. The entire attack completes in seconds, not minutes or hours. By the time anyone notices, it’s over.

It grants complete domain compromise. This isn’t a privilege escalation from user to admin. This is zero to domain admin in one step.

Exploitation is straightforward. Within days of the Secura whitepaper being published, working proof-of-concept code appeared publicly. The barrier to exploitation is low.

Active Directory is everywhere. Virtually every enterprise network of any size runs Active Directory. This is not a niche product vulnerability.

The Patch Situation
#

Microsoft released patches in August’s Patch Tuesday — a month ago. But here’s the wrinkle: the fix is being rolled out in two phases. The August patch enables enforcement mode but doesn’t fully block vulnerable connections. Full enforcement is scheduled for February 2021.

This phased approach is understandable from a compatibility perspective — there are likely many legacy devices and non-Windows systems that use the Netlogon protocol and would break with immediate full enforcement. But it also means that even patched systems remain partially vulnerable if enforcement mode isn’t explicitly configured.

My recommendation is blunt: if you haven’t applied the August patches yet, stop reading this and go do it now. Then enable full enforcement mode immediately if your environment allows it. The risk of breaking a legacy integration is far lower than the risk of a complete domain compromise.

The Bigger Picture
#

Zerologon is a reminder of something I’ve been saying for years: the soft, chewy interior of corporate networks is where the real danger lies. We’ve spent enormous energy on perimeter security, endpoint detection, and email filtering. Meanwhile, protocols designed in the 1990s sit at the heart of our identity infrastructure with cryptographic flaws that a second-year computer science student could identify.

This vulnerability also highlights the problem with patch timelines. Microsoft had this reported months ago, patched it in August, and even now we’re in a partial-enforcement state. Meanwhile, working exploit code is freely available. The window between “patch available” and “patch applied” is where attackers live, and for critical infrastructure like domain controllers, that window needs to be as close to zero as possible.

What To Do Right Now
#

If you’re responsible for any Windows Active Directory environment:

  1. Verify August 2020 patches are installed on every domain controller
  2. Enable enforcement mode via the FullSecureChannelProtection registry key
  3. Monitor event logs for Event IDs 5827, 5828, and 5829, which indicate vulnerable Netlogon connections
  4. Audit network access to domain controllers — TCP 135 and 445 should not be reachable from untrusted network segments
  5. Assume breach if you were unpatched when the exploit code went public, and investigate accordingly

I’ve seen a lot of critical vulnerabilities over three decades in this industry. This one genuinely deserves the urgency. The combination of ease of exploitation, severity of impact, and ubiquity of the target makes Zerologon one of the most dangerous Windows vulnerabilities in recent memory. Patch today, not tomorrow.

Breaches & Zero-Days - This article is part of a series.
Part : The Zero-Day Treadmill — Why Patch Tuesday Still Matters in 2025
Part : The Spring 2025 Exploit Wave — Fortinet, Ivanti, and the Perimeter Problem
Part : Salt Typhoon and the Treasury Breach — State-Sponsored Hacking Hits Home
Part : Salt Typhoon — The Telecom Hack That Should Worry Every Engineer
Part : Salt Typhoon and the Telecom Breach — Infrastructure Under Siege
Part : Operation Cronos — The LockBit Takedown and What It Means for Cybersecurity
Part : Jenkins Under Fire — CVE-2024-23897 and the Cost of Legacy Infrastructure
Part : ICBC Ransomware Attack — When the World's Largest Bank Gets Hit
Part : HTTP/2 Rapid Reset — The Zero-Day That Hit Everyone
Part : The MGM Resorts Hack — A $100M Lesson in Social Engineering
Part : Intel's Downfall Vulnerability — Another Speculative Execution Headache
Part : ESXiArgs Ransomware — A Wake-Up Call for VMware Infrastructure
Part : LastPass Breach Goes From Bad to Catastrophic — Customer Vaults Compromised
Part : OpenSSL's Critical Vulnerability — Lessons From a Week of Preparation
Part : The Uber Breach — When MFA Isn't Enough
Part : Twilio's Phishing Breach — Why SMS-Based 2FA Is Living on Borrowed Time
Part : Follina — The Zero-Day That Turns a Word Doc Into a Weapon
Part : Spring4Shell Is Here — Assessing the Real Risk of CVE-2022-22965
Part : Confluence Under Siege — CVE-2021-26084 and the Self-Hosted Software Problem
Part : T-Mobile's Massive Data Breach — A Wake-Up Call for API Security
Part : Pegasus Spyware — Zero-Click Exploits and What They Mean for Software Security
Part : Colonial Pipeline Ransomware — When Cybersecurity Meets Critical Infrastructure
Part : FireEye Breach — When the Red Team Gets Red-Teamed
Part : This Article
Part : The Twitter Bitcoin Hack — A Social Engineering Masterclass