Zerologon

Zerologon (formally: CVE-2020-1472) is a privilege elevation vulnerability in Microsoft's authentication protocol Netlogon Remote Protocol (MS-NRPC) , as implemented in the Windows Client Authentication Architecture and Samba. The vulnerability was first reported to Microsoft by security researcher Tom Tervoort from Secura on 17 August 2020 and dubbed "Zerologon". Zerologon was given a Common Vulnerability Scoring System v3.1 severity ranking of 10 by the U.S. American National Institute of Standards and Technology and a 5.5 by Microsoft. Crowdstrike classifies it as the most severe Active Directory vulnerability of 2020.

The vulnerability allows from an unauthenticated user of the network to establish an unsafe connection to a Domain Controller (DC) and further impersonate the DC to elevate to domain admin privileges. It allows attackers to access all valid usernames and passwords in each Microsoft network that they breached. This in turn allows them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn can let them compromise Microsoft 365 email accounts.