Netlogon Authentication Bypass Allows Instant Domain Controller Takeover

An attacker on your network can take over any Domain Controller in seconds by exploiting a flaw in the Netlogon authentication handshake — no credentials required.

Published May 7, 2026 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker with network access to a Domain Controller's Netlogon service (TCP 445) can reset the DC computer account password to a known value without any credentials. This gives them SYSTEM-level access to the Domain Controller and effectively full control of the Active Directory domain, including all user accounts, group policies, and domain-joined systems.

How the attack worksNo clicks needed

The Netlogon Remote Protocol uses AES-CFB8 to authenticate computers and domain controllers. A flaw in the implementation allows an attacker to forge a valid Netlogon credential by sending 256 authentication attempts — each using all-zero bytes as the client challenge. Statistically, one of these attempts will succeed with a valid all-zero session key, allowing the attacker to completely change the Domain Controller computer account password.

Am I affected?Quick check

Probably yes if any of these apply:

●All Domain Controllers

●Active Directory environments

●Any server with Netlogon service exposed on the network

●Running Windows Server 2008 R2 through 2019 before August 2020 patch

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022

Fixed inKB4571694 (2016), KB4565349 (2019)

Real-world incidentsWhat we've seen

Zerologon was weaponised in ransomware attacks within weeks of disclosure in September 2020. Ransomware operators used it as a privilege escalation step after gaining initial access to a network — within seconds they had Domain Admin credentials and began deploying ransomware domain-wide.

How to patch

Manual remediation steps

⏱ 30–60 minutes including reboot

Step 1 — Check if Patched

# Check for August 2020 or later Netlogon patch
Get-HotFix | Where-Object { $_.HotFixID -in @('KB4571694','KB4565349','KB4565351') }

Step 2 — Apply Cumulative Update

Open Settings → Windows Update

Install all available updates — the Zerologon patch is included in the August 2020 and later cumulative updates

Reboot the server

Step 3 — Enable Enforcement Mode (Required by Feb 2021)

After applying the initial patch, Domain Controllers operate in compatibility mode. Enforcement mode was mandatory from February 9, 2021 onward.

# Verify enforcement mode is active (value should be absent or 0 after Feb 2021 patch)
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name FullSecureChannelProtection -ErrorAction SilentlyContinue

Step 4 — Check for Non-Compliant Devices

# Review NETLOGON.LOG for machines using vulnerable Netlogon
Get-Content 'C:\Windows\debug\netlogon.log' |
    Select-String 'vulnerable' | Select-Object -Last 50

Verification

# Confirm patch level
systeminfo | Select-String 'KB4571694|KB4565349|KB4565351'

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2020-1472 ↗ MSRC Advisory ↗ NVD