Microsoft warns hackers are actively targeting Zerologon vulnerability. Patch pronto!

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Microsoft warns hackers are actively targeting Zerologon vulnerability. Patch pronto!

If your business is running Windows Server, you would be wise to check that you’re patched against the Zerologon vulnerability (also known as CVE-2020-1472.)

The Zerologon vulnerability, discovered by researchers at Secura, puts domain controllers at risk of hijacking by attackers seeking administrator access.

In a technical paper, Secura’s Tom Tervoort shared details of the vulnerability which is said to be easy to exploit, and published a tool which administrators could use to test whether their domain controllers were vulnerable.

Perhaps predictably, there are now several proof-of-concept exploits for the Zerologon vulnerability publicly available.

Sign up to our free newsletter.
Security news, advice, and tips.

The good news is that in August Microsoft released a fix against the vulnerability as part of its regular patch update.

The bad news is that there’s a good chance some organisations still haven’t applied them, and Microsoft says that hackers are now actively exploiting Zerologon in real-world attacks.

Last week the Department of Homeland Security (DHS), clearly anticipating that organisations would come under attack via the flaw, issued an emergency directive ordering federal agencies to apply patches against the vulnerability by the end of Monday September 21 2020.

Other software which supports the Microsoft Netlogon Remote Protocol (MS-NRPC), such as Samba, is also vulnerable to the security hole and should likewise be updated.

If there are active attacks in the wild, if the DHS is ordering federal agencies to defend themselves, and if Zerologon is so easy to exploit, don’t you think your business should be patching itself pronto?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.