Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1

Number: AL20-022 UPDATE 1
Date: 16 September 2020
Updated: 24 September 2020


This Alert is intended for IT professionals and managers of notified organizations.


An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients.  The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.


The Cyber Centre has become aware of recently published proofs of concept exploit code related to CVE-2020-1472, a Netlogon elevation of privilege vulnerability. The Cyber Centre strongly recommends that organizations immediately patch vulnerable systems.


On 23 September 2020 Microsoft reported [4] that CVE-2020-1472 is being actively exploited by malicious actors. Organizations that have not already updated affected systems should patch immediately and review for indicators of compromise (IOC). Several IOCs are supplied below in the INDICATORS OF COMPROMISE section.

Proofpoint has released a Suricata Intrusion Detection System (IDS) signature [5] to assist in the identification of exploitation attempts.

On 18 September 2020 the Samba Team published an advisory [6] confirming that certain versions of Samba, when configured as a domain controller, are also vulnerable to CVE-2020-1472.


On 11 August 2020 Microsoft published Security Updates to address vulnerabilities in multiple products [1], including an update for a critical privilege escalation vulnerability [2]. Tracked as CVE-2020-1472 the exploit occurs when establishing a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.

Exploitation of this vulnerability could allow a malicious actor with local network access to escalate privileges to a domain administrator level.

Microsoft is addressing this vulnerability using a two phased approach that is outlined in the below referenced Microsoft Guidelines [3].


The Cyber Centre recommends that organizations immediately install the latest security updates from Microsoft.


Microsoft has supplied the following sample exploit IOCs (SHA-256):



[1] Cyber Centre Advisory AV20-323: 

[2] Microsoft Advisory - CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability:

[3] Microsoft Guidelines - How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472:

UPDATE: [4] Microsoft Security Intelligence (@MsftSecIntel):

UPDATE: [5] 2030871 ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)

UPDATE: [6] Unauthenticated domain takeover via netlogon ("ZeroLogon"):
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: