contact us

CVE-2020-1472 Zerologon Exploit Now Available

by Sep 15, 2020

CVE-2020-1472 Zerologon Exploit Now Available

Yesterday, (14 Sep 2020) RiskSense announced that we had written and released a weaponized exploit for CVE-2020-1472, also known as “Zerologon”. We do this of course, to help the security community. If you think about it, public exploits become useless over time, while secret exploits stay useful indefinitely (to the bad guys). Sunshine is poisonous to exploits, as they say.

But I’m getting ahead of myself. Let’s go back a bit: the Dutch security firm Secura published a novel attack on the Netlogon Remote Protocol RPC interface used by Microsoft Active Directory Domain Controllers for password database synchronization. This attack leverages a design weakness in the Netlogon Remote Protocol login process that allows an attacker to log in and perform critical operations using a password consisting entirely of zeros. This attack is successful (on average) in an astounding 1 in 256 login attempts!

The attack has been verified and validated in an internal lab environment. This attack path can be used to achieve complete compromise of a network with any Microsoft Domain Controller without the appropriate patches for the Netlogon Remote Protocol service. Microsoft advisory here.

In an effort to help the security community, RiskSense Security Analyst Dylan Davis developed one of the first publicly available exploits and implemented the attack as reported in the Secura whitepaper. Further, RiskSense created a modified version of the Secura scanner that performs the complete attack chain including reversing the attack to restore the original domain controller machine password. The sample exploit code can be found at

Today, RiskSense made a System Filter for CVE-2020-1472 freely available to our customers to make sure they can easily identify which assets in their environment harbor this vulnerability. With everyone working together, we can make progress toward creating safer, more secure environments.

RiskSense Logo

RiskSense®, Inc. provides vulnerability management and remediation prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform delivers Risk-Based Vulnerability Management, Application Security Orchestration and Correlation, in addition to our Vulnerability Knowledge Base.These products bring insight to the wide views of vulnerability risk with adversarial threat-context and ties to ransomware. With Vulnerability Risk Rating, threat analytics, and automated playbooks prioritize actions for critical security weaknesses dramatically improving security and IT efficiency and effectiveness of managing attack surface risk.

Contact us at

+1 505-217-9422

Follow Risksense on LinkedIn Follow Risksense on Twitter

© 2021 RiskSense, Inc. All rights reserved.
Legal Notices, Privacy Policy, and Customer Agreements | Site Map