CVE-2020-1472 in ZFS Storage Appliance Kit
Summary
by MITRE
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability identified as CVE-2020-1472 represents a critical elevation of privilege flaw within Microsoft's Netlogon Remote Protocol implementation, specifically affecting domain controllers in active directory environments. This vulnerability operates through the Netlogon secure channel connections that establish trust relationships between domain controllers and member servers or workstations. The flaw allows an attacker to bypass authentication requirements and gain domain administrator privileges through a specially crafted Netlogon secure channel connection. The vulnerability stems from improper validation of the Netlogon authentication protocol, specifically when an attacker can manipulate the authentication process to establish a secure channel without proper credentials. This represents a fundamental breakdown in the authentication mechanism that forms the backbone of Microsoft's Active Directory security model.
The technical exploitation of CVE-2020-1472 occurs through the manipulation of the Netlogon Remote Protocol, which is defined in the MS-NRPC specification and operates on TCP port 135 and dynamic ports. The vulnerability exists in the way Netlogon handles the authentication process during secure channel establishment, particularly when the protocol accepts weak or null authentication credentials. Attackers can exploit this by establishing a vulnerable secure channel connection to a domain controller, effectively bypassing the normal authentication requirements. The flaw allows for a downgrade attack where the protocol accepts insecure authentication methods, enabling unauthorized access to domain controller resources. This vulnerability is classified under CWE-287 as improper authentication and aligns with ATT&CK technique T1078.002 for valid accounts and T1566 for phishing with social engineering. The attack vector requires network access to the domain controller and can be executed remotely without prior authentication, making it particularly dangerous in enterprise environments.
The operational impact of CVE-2020-1472 is severe and far-reaching, as successful exploitation grants attackers complete administrative control over an entire Active Directory domain. Once an attacker achieves domain administrator privileges through this vulnerability, they can perform lateral movement throughout the network, access sensitive data, modify user accounts, create backdoor access points, and potentially escalate to cloud environments if integrated with Azure AD. The vulnerability affects Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and Windows Server version 1903 and 1909 domain controllers. The impact extends beyond immediate compromise as attackers can use the elevated privileges to establish persistent access, deploy malware, and conduct data exfiltration operations. Organizations with multiple domain controllers or complex Active Directory environments face increased risk as the vulnerability can be exploited across the entire domain infrastructure. The vulnerability's severity is rated as critical by Microsoft, with CVSS scores reaching 8.1, indicating high exploitability and significant impact on confidentiality, integrity, and availability.
Microsoft addressed this vulnerability through a two-phase rollout approach to minimize disruption to enterprise environments while providing comprehensive protection. The first phase focused on updating the Netlogon authentication process to properly validate secure channel connections and reject weak authentication methods. The second phase, implemented in early 2021, completed the remediation by enforcing stronger authentication requirements and modifying the secure channel establishment process. Organizations should implement the updates as soon as possible, with Microsoft recommending immediate deployment of the first phase updates followed by the second phase once available. The mitigation strategy includes applying the specific security updates released by Microsoft, which modify how Netlogon handles secure channel connections and enforce proper authentication validation. Additional protective measures include network segmentation to limit access to domain controllers, monitoring for unusual authentication patterns, and implementing network access controls to restrict communication with domain controllers. Security teams should also conduct thorough vulnerability assessments to identify systems running vulnerable versions of Windows Server and ensure proper patch management procedures are in place to prevent similar issues in the future.