This is the Trace Id: a4c47377faba2608baf232366ba77f79
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Attacks exploiting Netlogon vulnerability (CVE-2020-1472)

MSRC
/ By Aanchal Gupta /

Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.

Deploying the August 11, 2020 security update or later release to every domain controller is the most critical first step toward addressing this vulnerability. Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts. We strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability. We have updated the FAQs in that original guidance from August to provide further clarity.

  • UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  • FIND which devices are making vulnerable connections by monitoring event logs.
  • ADDRESS non-compliant devices making vulnerable connections.
  • ENABLE enforcement mode to address CVE-2020-1472 in your environment.

Organizations that deploy Microsoft Defender for Identity (previously Azure Advanced Threat Protection) or Microsoft 365 Defender (previously Microsoft Threat Protection) are able to detect adversaries as they try to exploit this specific vulnerability against their domain controllers.

Finally, we have emphasized our previous guidance to relevant government agencies. For example, we contacted the Cybersecurity and Infrastructure Security Agency (CISA) which has issued an additional alert to remind state and local agencies, including those involved in the U.S. elections, about applying steps necessary to address this vulnerability.

Aanchal Gupta
VP Engineering, MSRC

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads