Researchers have new discovered a new Common Vulnerability & Exposure (CVE) called Zerologon. According to, Microsoft’s Security Update Aug. 11:
“The elevation of privilege vulnerability for Zerologon, or CVE-2020-147, exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.”
Netlogon allows the domain controller to authenticate computers and update passwords in the Active Directory. This feature is particularly vulnerable to this flaw because it allows hackers to impersonate any computer in the company’s network and change the password, even with two-factor authentication. Using Netlogon, hackers are able to change the domain controller’s password, gaining administrative access and taking control of the network.
The Zerologon Patch
Upon Zerologon’s discovery, Microsoft immediately rolled out a patch as Part I of their phased rollout, which is scheduled to be completed during the first few months of 2021. The company chose to release the patch updates in phases, as changing protocols can result in major disruptions on networks and servers that aren’t updated.
Windows Servers still receive security updates from Microsoft have received the patch. However, many networks use non-Windows devices or have legacy Windows devices that use the protocol to communicate with domain controllers.
The Zerologon patch released in August is currently blocking any attacks, and protocols are in place that non-compliant clients can continue to communicate with domain controllers, avoiding disruptions.
The DHS Emergency Directive
On Sept. 14, the Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency, issued emergency directives for any federal agencies using the Windows Server to perform patching actions as a response to the high-risk information security threats.
Any servers whose domain controllers could not be updated by the deadline of Sept. 21 were directed to unplug from the networks.
Protecting Your Organization
Organizations that might be at risk from Zerologon should first work with their IT department to ensure the patch has been implemented. August’s patch added five Event IDs for vulnerable Netlogon connections. When a secure channel connection during the initial deployment phase is allowed, Event ID 5829 is generated.
To detect the Zerologon vulnerability in your network, look for Event ID 4742—specifically “ANONYMOUS LOGON” users—and check the Password Last Set field for any changes. Your IT department will also be able to look for the activity of all domain controllers in the Active Directory with the following code:
Admins have the ability to monitor for Event IDs 5827 and 5828, which are triggered when Netlogon connections are denied. Event IDs 5830 and 5831 are triggered when the Group Policy allows patched domain controllers from Netlogon connections.
Organizations should continue monitoring their networks, as the vulnerability patch is evolving.
At the time of publication, Microsoft has not identified any mitigating factors or workarounds for this vulnerability aside from the Zerologon patch.