CVE-2020-1472— Netlogon Elevation of Privilege Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-1472
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Netlogon Elevation of Privilege Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Microsoft Windows Netlogon 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Microsoft Windows Netlogon是美国微软(Microsoft)公司的Windows的一个重要组件,主要功能是用户和机器在域内网络上的认证,以及复制数据库以进行域控备份,同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Microsoft | Windows Server version 2004 | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server 2019 | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server 2019 (Server Core installation) | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server, version 1909 (Server Core installation) | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server, version 1903 (Server Core installation) | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server 2016 | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server 2016 (Server Core installation) | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* | |
| Microsoft | Windows Server 2008 R2 Service Pack 1 | 6.1.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:* | |
| Microsoft | Windows Server 2008 R2 Service Pack 1 (Server Core installation) | 6.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:* | |
| Microsoft | Windows Server 2012 | 6.2.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:* | |
| Microsoft | Windows Server 2012 (Server Core installation) | 6.2.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:* | |
| Microsoft | Windows Server 2012 R2 | 6.3.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:* | |
| Microsoft | Windows Server 2012 R2 (Server Core installation) | 6.3.0 ~ publication | cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:* | |
| Microsoft | Windows Server version 20H2 | 10.0.0 ~ publication | cpe:2.3:o:microsoft:windows_server_20H2:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2020-1472
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/Tobey123/CVE-2020-1472-visualizer | POC Details |
| 2 | Test tool for CVE-2020-1472 | https://github.com/SecuraBV/CVE-2020-1472 | POC Details |
| 3 | None | https://github.com/cube0x0/CVE-2020-1472 | POC Details |
| 4 | PoC for Zerologon - all research credits go to Tom Tervoort of Secura | https://github.com/dirkjanm/CVE-2020-1472 | POC Details |
| 5 | Exploit Code for CVE-2020-1472 aka Zerologon | https://github.com/VoidSec/CVE-2020-1472 | POC Details |
| 6 | Exploit for zerologon cve-2020-1472 | https://github.com/risksense/zerologon | POC Details |
| 7 | Abuse CVE-2020-1472 (Zerologon) to take over a domain and then repair the local stored machine account password. | https://github.com/bb00/zer0dump | POC Details |
| 8 | CVE-2020-1472漏洞复现过程 | https://github.com/0xkami/CVE-2020-1472 | POC Details |
| 9 | CVE-2020-1472复现流程 | https://github.com/NAXG/CVE-2020-1472 | POC Details |
| 10 | None | https://github.com/R0B1NL1N/CVE-2020-1472 | POC Details |
| 11 | PoC for Zerologon (CVE-2020-1472) - Exploit | https://github.com/thatonesecguy/zerologon-CVE-2020-1472 | POC Details |
| 12 | Ladon Moudle CVE-2020-1472 Exploit 域控提权神器 | https://github.com/k8gege/CVE-2020-1472-EXP | POC Details |
| 13 | CVE-2020-1472 | https://github.com/jiushill/CVE-2020-1472 | POC Details |
| 14 | Zabbix Template to monitor for Windows Event Viewer event's related to Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472. Monitors event ID's 5827, 5828 & 5829. See: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 | https://github.com/scv-m/zabbix-template-CVE-2020-1472 | POC Details |
| 15 | cve-2020-1472 复现利用及其exp | https://github.com/mstxq17/cve-2020-1472 | POC Details |
| 16 | None | https://github.com/Fa1c0n35/CVE-2020-1472 | POC Details |
| 17 | None | https://github.com/Fa1c0n35/SecuraBV-CVE-2020-1472 | POC Details |
| 18 | CVE-2020-1472 - Zero Logon vulnerability Python implementation | https://github.com/CanciuCostin/CVE-2020-1472 | POC Details |
| 19 | cve-2020-1472_Tool collection | https://github.com/0xcccc666/cve-2020-1472_Tool-collection | POC Details |
| 20 | [CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon) | https://github.com/murataydemir/CVE-2020-1472 | POC Details |
| 21 | https://github.com/dirkjanm/CVE-2020-1472 | https://github.com/npocmak/CVE-2020-1472 | POC Details |
| 22 | None | https://github.com/victim10wq3/CVE-2020-1472 | POC Details |
| 23 | Test script for CVE-2020-1472 for both RPC/TCP and RPC/SMB | https://github.com/zeronetworks/zerologon | POC Details |
| 24 | CVE-2020-1472复现时使用的py文件整理打包 | https://github.com/sv3nbeast/CVE-2020-1472 | POC Details |
| 25 | A simple implementation/code smash of a bunch of other repos | https://github.com/midpipps/CVE-2020-1472-Easy | POC Details |
| 26 | None | https://github.com/hectorgie/CVE-2020-1472 | POC Details |
| 27 | None | https://github.com/johnpathe/zerologon-cve-2020-1472-notes | POC Details |
| 28 | None | https://github.com/t31m0/CVE-2020-1472 | POC Details |
| 29 | CVE 2020-1472 Script de validación | https://github.com/grupooruss/CVE-2020-1472 | POC Details |
| 30 | None | https://github.com/striveben/CVE-2020-1472 | POC Details |
| 31 | None | https://github.com/Fa1c0n35/CVE-2020-1472-02- | POC Details |
| 32 | CVE-2020-1472 | https://github.com/Whippet0/CVE-2020-1472 | POC Details |
| 33 | POC for checking multiple hosts for Zerologon vulnerability | https://github.com/WiIs0n/Zerologon_CVE-2020-1472 | POC Details |
| 34 | Zerologon AutoExploit Tool | CVE-2020-1472 | https://github.com/Privia-Security/ADZero | POC Details |
| 35 | None | https://github.com/Ken-Abruzzi/cve-2020-1472 | POC Details |
| 36 | Protect your domain controllers against Zerologon (CVE-2020-1472). | https://github.com/rhymeswithmogul/Set-ZerologonMitigation | POC Details |
| 37 | None | https://github.com/shanfenglan/cve-2020-1472 | POC Details |
| 38 | Check for events that indicate non compatible devices -> CVE-2020-1472 | https://github.com/maikelnight/zerologon | POC Details |
| 39 | C# Vulnerability Checker for CVE-2020-1472 Aka Zerologon | https://github.com/CPO-EH/CVE-2020-1472_ZeroLogonChecker | POC Details |
| 40 | None | https://github.com/puckiestyle/CVE-2020-1472 | POC Details |
| 41 | None | https://github.com/mingchen-script/CVE-2020-1472-visualizer | POC Details |
| 42 | The following is the outcome of playing with CVE-2020-1472 and attempting to automate the process of gaining a shell on the DC | https://github.com/JayP232/The_big_Zero | POC Details |
| 43 | None | https://github.com/b1ack0wl/CVE-2020-1472 | POC Details |
| 44 | None | https://github.com/SaharAttackit/CVE-2020-1472 | POC Details |
| 45 | zerologon script to exploit CVE-2020-1472 CVSS 10/10 | https://github.com/wrathfulDiety/zerologon | POC Details |
| 46 | quick'n'dirty automated checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon), using leading artifects in determining an actual exploitation of CVE-2020-1472. requires admin access to the DCs | https://github.com/YossiSassi/ZeroLogon-Exploitation-Check | POC Details |
| 47 | Zerologon Check and Exploit - Discovered by Tom Tervoort of Secura and expanded on @Dirkjanm's cve-2020-1472 coded example. This tool will check, exploit and restore password to original state | https://github.com/sho-luv/zerologon | POC Details |
| 48 | Modified the test PoC from Secura, CVE-2020-1472, to change the machine password to null | https://github.com/hell-moon/ZeroLogon-Exploit | POC Details |
| 49 | Exploit Code for CVE-2020-1472 aka Zerologon | https://github.com/Udyz/Zerologon | POC Details |
| 50 | None | https://github.com/itssmikefm/CVE-2020-1472 | POC Details |
| 51 | Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing. | https://github.com/NickSanzotta/zeroscan | POC Details |
| 52 | None | https://github.com/TheJoyOfHacking/SecuraBV-CVE-2020-1472 | POC Details |
| 53 | None | https://github.com/TheJoyOfHacking/dirkjanm-CVE-2020-1472 | POC Details |
| 54 | Zero-day-scanning is a Domain Controller vulnerability scanner, that currently includes checks for Zero-day-scanning (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing. | https://github.com/Anonymous-Family/Zero-day-scanning | POC Details |
| 55 | Test tool for CVE-2020-1472 | https://github.com/Anonymous-Family/CVE-2020-1472 | POC Details |
| 56 | Set of scripts, to test and exploit the zerologon vulnerability (CVE-2020-1472). | https://github.com/carlos55ml/zerologon | POC Details |
| 57 | CVE-2020-1472 C++ | https://github.com/Rvn0xsy/ZeroLogon | POC Details |
| 58 | Tool for mass testing ZeroLogon vulnerability CVE-2020-1472 | https://github.com/guglia001/MassZeroLogon | POC Details |
| 59 | Tool for mass testing ZeroLogon vulnerability CVE-2020-1472 | https://github.com/likeww/MassZeroLogon | POC Details |
| 60 | None | https://github.com/dr4g0n23/CVE-2020-1472 | POC Details |
| 61 | Lab introduction to ZeroLogon | https://github.com/RicYaben/CVE-2020-1472-LAB | POC Details |
| 62 | None | https://github.com/Akash7350/CVE-2020-1472 | POC Details |
| 63 | Zerologon exploit for CVE-2020-1472 | https://github.com/G0urmetD/Zerologon-CVE-2020-1472 | POC Details |
| 64 | This is a combination of the zerologon_tester.py code (https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/master/zerologon_tester.py) and the tool evil-winrm to get a shell. | https://github.com/botfather0x0/ZeroLogon-to-Shell | POC Details |
| 65 | MS-NRPC (Microsoft NetLogon Remote Protocol)/CVE-2020-1472 | https://github.com/logg-1/0logon | POC Details |
| 66 | None | https://github.com/whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC | POC Details |
| 67 | Zabbix Template to monitor for Windows Event Viewer event's related to Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472. Monitors event ID's 5827, 5828 & 5829. See: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 | https://github.com/okay-scam/zabbix-template-CVE-2020-1472 | POC Details |
| 68 | Zabbix Template to monitor for Windows Event Viewer event's related to Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472. Monitors event ID's 5827, 5828 & 5829. See: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 | https://github.com/McKinnonIT/zabbix-template-CVE-2020-1472 | POC Details |
| 69 | None | https://github.com/JolynNgSC/Zerologon_CVE-2020-1472 | POC Details |
| 70 | Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing. | https://github.com/B34MR/zeroscan | POC Details |
| 71 | This is a combination of the zerologon_tester.py code (https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/master/zerologon_tester.py) and the tool evil-winrm to get a shell. | https://github.com/c3rrberu5/ZeroLogon-to-Shell | POC Details |
| 72 | A script to exploit CVE-2020-1472 (Zerologon) | https://github.com/blackh00d/zerologon-poc | POC Details |
| 73 | This project combines the Zerologon vulnerability exploit (CVE-2020-1472) with Impacket tools for streamlined exploitation and post-exploitation activities. It allows penetration testers to assess and demonstrate the impact of this critical vulnerability in a controlled and authorized environment. | https://github.com/TuanCui22/ZerologonWithImpacket-CVE2020-1472 | POC Details |
| 74 | Simulation of the Zerologon (CVE-2020-1472) vulnerability attack in Active Directory on Windows Server 2016 and the use of the Trend Micro Deep Security solution to prevent such attacks. | https://github.com/PakwanSK/Simulating-and-preventing-Zerologon-CVE-2020-1472-vulnerability-attacks. | POC Details |
| 75 | None | https://github.com/tdevworks/CVE-2020-1472-ZeroLogon-Demo-Detection-Mitigation | POC Details |
| 76 | Explicação e demonstração da vulnerabilidade ZeroLogon (CVE-2020-1472) | https://github.com/100HnoMeuNome/ZeroLogon-CVE-2020-1472-lab | POC Details |
| 77 | End-to-end Domain Controller exploitation using Metasploit and Impacket: discovered DC10, exploited Zerologon (CVE-2020-1472), extracted NTLM hashes, gained SYSTEM shell, and established a Meterpreter session. | https://github.com/nyambiblaise/Domain-Controller-DC-Exploitation-with-Metasploit-Impacket | POC Details |
| 78 | Zerologon (CVE-2020-1472) Proof-of-Concept application - Critical Active Directory vulnerability exploitation tool. | https://github.com/mods20hh/ZeroLogon-PoC-DC-Pwn | POC Details |
| 79 | Scripts for a lab environment demonstrating the Zerologon (CVE-2020-1472) vulnerability. | https://github.com/commit2main/zerologon-lab | POC Details |
| 80 | Research project exploring the ZeroLogon vulnerability. Includes technical write-up on exploit chains, troubleshooting, and server hardening. | https://github.com/JeNilSE/CVE-2020-1472-ZeroLogon-Analysis | POC Details |
| 81 | Test tool for CVE-2020-1472 | https://github.com/bvcyber/CVE-2020-1472 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-1472
请登录查看更多情报信息。
- https://www.synology.com/security/advisory/Synology_SA_20_21x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpuApr2021.htmlx_refsource_MISC
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.htmlvendor-advisoryx_refsource_SUSE
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.htmlvendor-advisoryx_refsource_SUSE
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/vendor-advisoryx_refsource_FEDORA
- https://nvd.nist.gov/vuln/detail/CVE-2020-1472
Same Patch Batch · Microsoft · 2020-08-17 · 121 CVEs total
| CVE-2020-1467 | 10.0 CRITICAL | Windows Hard Link Elevation of Privilege Vulnerability |
| CVE-2020-1583 | 8.8 HIGH | Microsoft Word Information Disclosure Vulnerability |
| CVE-2020-1504 | 8.8 HIGH | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2020-1552 | 8.0 HIGH | Windows Work Folder Service Elevation of Privilege Vulnerability |
| CVE-2020-1521 | 7.8 HIGH | Windows Speech Runtime Elevation of Privilege Vulnerability |
| CVE-2020-1534 | 7.8 HIGH | Windows Backup Service Elevation of Privilege Vulnerability |
| CVE-2020-1533 | 7.8 HIGH | Windows WalletService Elevation of Privilege Vulnerability |
| CVE-2020-1531 | 7.8 HIGH | Windows Accounts Control Elevation of Privilege Vulnerability |
| CVE-2020-1530 | 7.8 HIGH | Windows Remote Access Elevation of Privilege Vulnerability |
| CVE-2020-1529 | 7.8 HIGH | Windows GDI Elevation of Privilege Vulnerability |
| CVE-2020-1528 | 7.8 HIGH | Windows Radio Manager API Elevation of Privilege Vulnerability |
| CVE-2020-1527 | 7.8 HIGH | Windows Custom Protocol Engine Elevation of Privilege Vulnerability |
| CVE-2020-1526 | 7.8 HIGH | Windows Network Connection Broker Elevation of Privilege Vulnerability |
| CVE-2020-1525 | 7.8 HIGH | Media Foundation Memory Corruption Vulnerability |
| CVE-2020-1524 | 7.8 HIGH | Windows Speech Shell Components Elevation of Privilege Vulnerability |
| CVE-2020-1513 | 7.8 HIGH | Windows CSC Service Elevation of Privilege Vulnerability |
| CVE-2020-1516 | 7.8 HIGH | Windows Work Folders Service Elevation of Privilege Vulnerability |
| CVE-2020-1515 | 7.8 HIGH | Windows Telephony Server Elevation of Privilege Vulnerability |
| CVE-2020-1517 | 7.8 HIGH | Windows File Server Resource Management Service Elevation of Privilege Vulnerability |
| CVE-2020-1512 | 7.8 HIGH | Windows State Repository Service Information Disclosure Vulnerability |
Showing top 20 of 121 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Windows Server version 2004
- CVE-2020-1228
Windows DNS Denial of Service Vulnerability - CVE-2020-0836
Windows DNS Denial of Service Vulnerability - CVE-2020-0761
Active Directory Remote Code Execution Vulnerability - CVE-2020-0718
Active Directory Remote Code Execution Vulnerability - CVE-2020-0664
Active Directory Information Disclosure Vulnerability
Same vendor: Microsoft
- CVE-2026-42826
Azure DevOps Information Disclosure Vulnerability - CVE-2026-35428
Azure Cloud Shell Spoofing Vulnerability - CVE-2026-35435
Azure AI Foundry Elevation of Privilege Vulnerability - CVE-2026-34327
Microsoft Partner Center Spoofing Vulnerability - CVE-2026-33844
Azure Managed Instance for Apache Cassandra Remote Code Exec
V. Comments for CVE-2020-1472
No comments yet