Zerologon: a crypto mistake that hands over the domain in seconds
CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin. CVSS 10, no credentials, seconds to exploit.
Zerologon, CVE-2020-1472, is the rare bug that earns its perfect CVSS 10.0 in the most literal way: an unauthenticated attacker who can reach a domain controller over the network can become domain admin in seconds, with no credentials and almost no complexity. The cause is a cryptographic implementation mistake in the Netlogon Remote Protocol (MS-NRPC). Netlogon used AES in CFB8 mode with a fixed, all-zero initialization vector, and a quirk of that construction means that for a meaningful fraction of random keys, an all-zero plaintext encrypts to all-zero ciphertext. An attacker just sends authentication attempts with zeroed values and, after a few thousand tries (seconds of traffic), succeeds, then uses the established session to reset the domain controller’s own machine-account password to empty. From there, it’s the keys to the directory.
What the bug is
The flaw lets an attacker spoof the identity of any domain-joined machine, including the domain controller itself, to the Netlogon service, then change that account’s password in Active Directory. Resetting the DC’s machine account to an empty password yields domain-administrator-level access. Microsoft patched it in August 2020, and because the fix changed how Netlogon authenticates, it was rolled out in two phases (an initial enforcement-optional patch, then full enforcement) to give non-compliant devices time to update. CISA issued an emergency directive, and exploitation followed quickly once proof-of-concept code (Secura, who discovered it, plus public exploits) appeared. It carries the ransomware flag; ransomware crews adopted it as a fast path from a network foothold to full domain control.
Why it matters beyond the patch
Zerologon is a clean example of a category that’s different from the perimeter RCEs that dominate the catalog: a core Active Directory protocol flaw that turns network access into domain takeover. An attacker doesn’t need to be authenticated; they need to be able to talk to a domain controller, which any device on the internal network can. That makes it a devastating second move after any foothold (a phished workstation, a compromised VPN), and it’s why it became a staple of ransomware playbooks. The lesson it reinforces, alongside noPac, is that Active Directory’s own protocols are attack surface, and a single flaw in one can collapse the entire identity layer.
It’s also a reminder about cryptographic implementation. The bug wasn’t a logic error in access control; it was using a cipher mode incorrectly (a fixed zero IV). Cryptography is unforgiving of these details, and “we used AES” is not the same as “we used AES correctly.” For builders, the takeaway is to never hand-roll cryptographic constructions and to have crypto usage reviewed, because a subtle mode-or-IV mistake can be catastrophic in a way that’s invisible until someone finds it.
What to do
- Patch domain controllers, and confirm Netlogon enforcement is on. If any DC somehow remains unpatched or in the non-enforcement state, it’s a CVSS-10 path to domain admin. Verify the August 2020 (and subsequent enforcement) updates are applied and enforcement mode is active.
- Monitor for the exploitation signature. Watch for the Netlogon authentication anomalies and machine-account password changes Zerologon produces, particularly a domain controller’s own machine account password changing unexpectedly. Microsoft and detection vendors published specific event-log indicators (e.g., Event IDs around Netlogon secure-channel and account changes).
- Treat AD protocol bugs as tier-zero emergencies. A flaw that converts network reachability into domain admin is among the most urgent things you can face; prioritize DC patching above almost everything else.
- Assume compromise if a DC was unpatched and reachable when exploits were circulating, and investigate for the machine-account reset and subsequent domain compromise; recovery may require resetting the DC machine account and the krbtgt account.
The reframe is to keep Active Directory’s own protocols at the top of your patch priority, because a bug there isn’t one server’s problem, it’s the whole domain’s. Zerologon turned a cipher-mode mistake into instant domain admin for anyone on the network, which is about as bad as a vulnerability gets. Patch your DCs, enforce Netlogon, watch for the machine-account reset, and treat identity-protocol flaws as the emergencies they are. We flag the AD-protocol entries with maximum weight, because they’re the bugs that end with someone owning everything.
Sources
Share
Related field notes
-
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
PetitPotam: make a domain controller authenticate to you, relay it, own the domain
CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them. Relay that to Active Directory Certificate Services and you can mint a certificate as the DC. It's an Active Directory configuration problem as much as a patch.
-
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
One email, every weekday morning.
You're in. Check your inbox.