Microsoft issues warning about actively exploited Zerologon vulnerability in Windows

It is just days since the CISA (Cybersecurity and Infrastructure Security Agency) issued an emergency warning about a critical Windows vulnerability. Now Microsoft has issued a warning that the vulnerability is being actively exploited and the company is “actively tracking threat actor activity”.

The Netlogon EoP vulnerability (CVE-2020-1472) is concerning not just because of its severity, but because of the fact that it can be exploited in a matter of seconds. The security issue affects Windows Server 2008 and above, and enables an attacker to gain admin control of a domain.

Writing on Twitter, the company said: “Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks”.

The security issue was discovered by Tom Tervoort, a security researcher at Secura, and the company went on to publish a technical paper and a proof-of-concept tool.

Microsoft’s security intelligence team posted several tweets about the vulnerability:

Microsoft has already issued a patch for the vulnerability, and users are encouraged to install this as soon as possible if they have not done so already. There is also a micropatch available from 0patch aimed at people for whom Microsoft’s official patch poses a compatibility issue.