CVE-2020-1472: Microsoft Netlogon Privilege Escalation Vulnerability.
Microsoft Netlogon Privilege Escalation Vulnerability. Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network. The vulnerability is also known under the moniker of Zerologon.
- CISA KEV-listed (remediation due 2022-05-03)
- used in ransomware campaigns
- EPSS 94.4% (100.0% percentile)
Detection rules
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC high
- Potential Zerologon (CVE-2020-1472) Exploitation high
- Zerologon Exploitation Using Well-known Tools critical
- Vulnerable Netlogon Secure Channel Connection Allowed high
Related briefings
- RansomHub (Knight/Cyclops Rebranded): CVE-2024-3400 and ZeroLogon in Sub-14-Hour Attack, PCHunter EDR Termination, FileZilla Exfiltration, and Multi-Platform Ransomware Variants 2026-02-16
- CISA, FBI, and NSA Joint Advisory: Conti Ransomware Surpasses 1,000 Attacks with TrickBot, Cobalt Strike, and Double Extortion 2026-02-16