CVE-2020-1472

actively exploited

malware scan detection code search

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

5.5

cvss high

common vulnerability scoring system v3.1. measures intrinsic severity on a 0-10 scale.

epss 0.9438

exploitation prediction scoring system. probability this vulnerability will be exploited in the wild in the next 30 days.

kev yes

cisa known exploited vulnerabilities catalog. confirmed active exploitation.

CVSS 3.1 Common Vulnerability Scoring System v3.1

5.5 / 10

MEDIUM

exploitability

Attack Vector

Local

Attack Vector (AV:L): requires local access. attacker must have shell access or physical login.

Attack Complexity

Low

Attack Complexity (AC:L): no special conditions needed. attack can be reliably reproduced.

Privileges Required

Low

Privileges Required (PR:L): requires basic user-level access.

User Interaction

None

User Interaction (UI:N): no victim action needed. fully exploitable without user interaction.

impact

Scope

Unchanged

Scope (S:U): impact limited to the vulnerable component.

Confidentiality

High

Confidentiality (C:H): total information disclosure. attacker gains access to all data within the component.

Integrity

None

Integrity (I:N): no integrity impact.

Availability

None

Availability (A:N): no availability impact.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

exploitation detection attribution advisories media timeline

activity density

rdintel assessment

actively exploited. patch immediately.

ransomware in use.

flagged malicious repos detected. do not execute.

detection rules available.

composite score from 15+ signals including exploitation status, epss probability, detection coverage, and community attention. 0-100 scale.

exploitation

actively exploited

Vendor - Product Name

Apply vendor-provided patches

poc repositories (3)

researcher/exploit-poc - 42 stars - Python

security-lab/cve-checker - 18 stars - Go

detection

nuclei-template-id - critical - by projectdiscovery

sigma-rule-title - high - windows

timeline

2024-01-15 - published - CVE record created

2024-01-18 - poc - First exploit code published

2024-01-20 - kev - Added to known exploited

pocs, detection rules, timeline, advisories, and more