Microsoft warns hackers are actively targeting Zerologon vulnerability. Patch pronto!

Graham Cluley
@gcluley

If your business is running Windows Server, you would be wise to check that you’re patched against the Zerologon vulnerability (also known as CVE-2020-1472.)

The Zerologon vulnerability, discovered by researchers at Secura, puts domain controllers at risk of hijacking by attackers seeking administrator access.

In a technical paper, Secura’s Tom Tervoort shared details of the vulnerability which is said to be easy to exploit, and published a tool which administrators could use to test whether their domain controllers were vulnerable.

Perhaps predictably, there are now several proof-of-concept exploits for the Zerologon vulnerability publicly available.

Sign up to our newsletter
Security news, advice, and tips.

The good news is that in August Microsoft released a fix against the vulnerability as part of its regular patch update.

The bad news is that there’s a good chance some organisations still haven’t applied them, and Microsoft says that hackers are now actively exploiting Zerologon in real-world attacks.

Last week the Department of Homeland Security (DHS), clearly anticipating that organisations would come under attack via the flaw, issued an emergency directive ordering federal agencies to apply patches against the vulnerability by the end of Monday September 21 2020.

Other software which supports the Microsoft Netlogon Remote Protocol (MS-NRPC), such as Samba, is also vulnerable to the security hole and should likewise be updated.

If there are active attacks in the wild, if the DHS is ordering federal agencies to defend themselves, and if Zerologon is so easy to exploit, don’t you think your business should be patching itself pronto?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.