Jetzt Ausprobieren
Vulnerability

Microsoft Confirms Attackers Exploiting Zerologon Flaw

2 min. read
25/09/2020
By Nils Macharis
Zerologon-vulnerability-CVE-2020-1472-Netlogon

Microsoft confirmed that attackers are actively exploiting the ‘Zerologon’ windows flaw, tracked as CVE-2020-1472.

⚡ TL;DR | Go Straight to the Zerologon Audit Report

This flaw affects Windows Server systems and gives attackers complete access to a vulnerable IT network. The vulnerability has been named the Zerologon exploit (CVE-2020-1472) and we advise everybody to patch their Windows installations right away.

Microsoft warned us in a series of tweets that the Zerologon exploit on Windows Server installations is active. Microsoft previously released a patch in their August 2020 Patch Tuesday Update. If you have the August or September security roll-ups installed, you are patched and deemed safe in the context of this vulnerability.

„Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.“

The security firm Secura detected the Zerologon vulnerability since they already observed ongoing public exploits. CVE-2020-1472 is a serious threat because the exploit code is circulating online. This CVE code gets the ‘critical’ severity rating. This elevation of privilege vulnerability is present in most versions of Windows Server, from Windows Server 2008 until Windows Server 2019. They have proof-of-concept exploit. Apparently, there are a lot of malicious .NET executables with the name ‘SharpZeroLogon.exe’ that are circulating on the web.

This flaw is easily exploitable by an attacker. It could give them the ability to take over an entire Windows domain, or even worse, a complete company IT network. By sending a number of Netlogon messages with various fields, the attacker can change the password for the domain controller. The New Technology LAN Manager (NTLM) hash of the domain controller will be changed to an empty password.

Run the Zerologon Vulnerability Audit

It’s pretty critical that you apply patches at the earliest opportunity to ensure that you don’t fall prey to the Zerologon vulnerability. We’ve issued a dedicated Zerologon Vulnerability Audit Report that gives you an instant overview of all affected devices and their patch status.

If you haven’t already, start your free Lansweeper trial and get a list of all vulnerable devices on your network in no time.