A single flaw in the way Windows domain controllers verify network identities has given attackers a shortcut to total control of corporate and government networks since 2020, and security agencies warn that organizations are still falling victim to it in 2026. Tracked as CVE-2020-1472 and widely known as “Zerologon,” the vulnerability carries the maximum severity rating of CVSS 10.0. It requires no stolen passwords, no phishing emails, and no insider access. An attacker who can reach a domain controller over the network can exploit a cryptographic weakness in the Netlogon Remote Protocol (MS-NRPC) to reset the controller’s machine account password, then walk straight into domain administrator privileges.
For organizations that run Active Directory, the domain controller is the nerve center. It governs who can log in, what files they can reach, and which policies apply to every joined machine. Compromising it is the equivalent of stealing the master key to every lock in the building. That is why the Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing Emergency Directive 20-04 in September 2020, ordering all federal civilian agencies to patch or disconnect affected domain controllers within days.
How the attack actually works
The flaw sits in the way MS-NRPC sets up an encrypted session between a client machine and a domain controller. Normally, both sides exchange random values to generate a unique session key. Researchers at the Dutch security firm Secura discovered that the protocol’s implementation of AES-CFB8 encryption used a fixed initialization vector of all zeros. By sending repeated authentication attempts with carefully crafted data, an attacker can exploit this weak initialization to authenticate as any computer in the domain, including the domain controller itself.
Once authenticated, the attacker resets the domain controller’s machine account password to a known value. From there, they can extract all password hashes stored in Active Directory, create new privileged accounts, push malicious group policies, or deploy ransomware to every machine on the network. The entire sequence can be completed in seconds using publicly available exploit code.
Why it still matters six years later
Microsoft released an initial patch in August 2020 and moved to a full enforcement phase in February 2021 that blocks insecure Netlogon connections by default. Yet Zerologon continues to appear in real-world attacks. CISA’s September 2020 alert confirmed active exploitation at the time, and the vulnerability has since been incorporated into the toolkits of ransomware operators and state-sponsored groups targeting organizations that lag behind on patching.
Several factors explain the persistence of the risk:
- Legacy environments. Organizations running older Windows Server versions or third-party appliances that depend on insecure Netlogon behavior may have delayed enforcement to avoid breaking critical services.
- Patch vs. enforcement confusion. Installing the initial August 2020 update without enabling enforcement mode left domain controllers partially exposed. Some administrators may not have completed the second step.
- Shadow IT and mergers. Domain controllers inherited through acquisitions or standing in forgotten branch offices can escape normal patch management cycles.
The US-CERT bulletin issued on September 14, 2020, noted that exploit code was already circulating publicly, meaning the barrier to entry for attackers has been low from the start. Any domain controller reachable over the network that has not been both patched and placed in enforcement mode should be treated as compromised until verified otherwise.
What organizations should verify now
Security teams that want to confirm they are protected need to check three things, not just one:
- Patch status. Confirm that every domain controller has received the relevant cumulative update from August 2020 or later. Microsoft’s security advisory for CVE-2020-1472 lists the specific KB numbers by operating system version.
- Enforcement mode. Verify that the registry key or group policy setting enabling secure Netlogon channel enforcement is active. The February 2021 enforcement update made this the default, but manual overrides or rollback scripts could have disabled it.
- Legacy device audit. Identify any devices or applications still attempting insecure Netlogon connections. Event IDs 5827 through 5831 in the Windows System event log flag these attempts. Any device generating those events needs remediation or an explicit, documented exception with compensating controls.
Organizations operating hybrid environments that bridge on-premises Active Directory with cloud identity services like Microsoft Entra ID (formerly Azure Active Directory) should pay particular attention. A compromised on-premises domain controller that synchronizes with cloud directories could give attackers a path into cloud-hosted resources, expanding the blast radius well beyond the local network.
What Zerologon reveals about patch urgency
The trajectory of CVE-2020-1472 offers a case study in how quickly a disclosed vulnerability can become a weapon. Secura published its technical writeup on September 11, 2020. Within days, working exploit code appeared on GitHub. By September 14, US-CERT had issued its first warning. Ten days after that, CISA confirmed active exploitation and escalated to an emergency directive, a step the agency reserves for threats it considers an immediate risk to federal infrastructure.
That timeline compressed the window between disclosure and real-world attacks to roughly two weeks. For vulnerabilities that target core authentication mechanisms and require no credentials, standard monthly maintenance windows are not fast enough. Organizations that lack the ability to execute emergency patch rollouts, with pre-approved change-control procedures and clear communication channels between security teams and business leadership, will continue to find themselves exposed long after fixes are available.
Zerologon earned its maximum severity score for a reason. It turns a single network connection into total domain compromise, and the only reliable defense is a patch that has been available for years. Any domain controller that remains unpatched or unenforced in June 2026 is not just a technical debt item. It is an open invitation.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
