IRONSMITHINTEL
CRITICALCVSS10.0
|
Actively Exploited
|CISA KEV|CVE-2020-1472|Auth: none|Reboot: required|Est. 30–60 minutes including reboot|Manual only

KB4565351: Windows Server 2016 / 2019 / 2022 Security Update (May 2026)

An attacker on your network can take over any Domain Controller in seconds by exploiting a flaw in the Netlogon authentication handshake — no credentials required.

Published May 7, 2026 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker with network access to a Domain Controller's Netlogon service (TCP 445) can reset the DC computer account password to a known value without any credentials. This gives them SYSTEM-level access to the Domain Controller and effectively full control of the Active Directory domain, including all user accounts, group policies, and domain-joined systems.

How the attack worksNo clicks needed

The Netlogon Remote Protocol uses AES-CFB8 to authenticate computers and domain controllers. A flaw in the implementation allows an attacker to forge a valid Netlogon credential by sending 256 authentication attempts — each using all-zero bytes as the client challenge. Statistically, one of these attempts will succeed with a valid all-zero session key, allowing the attacker to completely change the Domain Controller computer account password.

Am I affected?Quick check

Probably yes if any of these apply:

All Domain Controllers
Active Directory environments
Any server with Netlogon service exposed on the network
Running Windows Server 2008 R2 through 2019 before August 2020 patch

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inKB4565351, KB4601315, KB4601318, KB4601319, KB4601345, KB4601347, KB4601348, KB4601349, KB4601357, KB4601363, KB4601384 (applies to 14 product versions)
Real-world incidentsWhat we've seen

Zerologon was weaponised in ransomware attacks within weeks of disclosure in September 2020. Ransomware operators used it as a privilege escalation step after gaining initial access to a network — within seconds they had Domain Admin credentials and began deploying ransomware domain-wide.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB4565351

Manual remediation steps

30–60 minutes including reboot

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Updates

    1
    KB4565351 — https://support.microsoft.com/help/4565351
    1
    KB4601315 — https://support.microsoft.com/help/4601315
    1
    KB4601318 — https://support.microsoft.com/help/4601318
    1
    KB4601319 — https://support.microsoft.com/help/4601319
    1
    KB4601345 — https://support.microsoft.com/help/4601345
    1
    KB4601347 — https://support.microsoft.com/help/4601347
    1
    KB4601348 — https://support.microsoft.com/help/4601348
    1
    KB4601349 — https://support.microsoft.com/help/4601349
    1
    KB4601357 — https://support.microsoft.com/help/4601357
    1
    KB4601363 — https://support.microsoft.com/help/4601363
    1
    KB4601384 — https://support.microsoft.com/help/4601384

Supersedes: KB4565483, KB4598229, KB4598230, KB4598242, KB4598243, KB4598278, KB4598279, KB4598285

Affected Products

    1
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    1
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
    1
    Windows Server 2012
    1
    Windows Server 2012 (Server Core installation)
    1
    Windows Server 2012 R2
    1
    Windows Server 2012 R2 (Server Core installation)
    1
    Windows Server 2016
    1
    Windows Server 2016 (Server Core installation)
    1
    Windows Server 2019
    1
    Windows Server 2019 (Server Core installation)
    1
    Windows Server, version 1903 (Server Core installation)
    1
    Windows Server, version 1909 (Server Core installation)
    1
    Windows Server, version 2004 (Server Core installation)
    1
    Windows Server, version 20H2 (Server Core Installation)

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted — a reboot IS required to complete the install

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB4565351
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB4565351 for the affected products in your update management console.

Microsoft Download Center Links

    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565351
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4601315
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4601318
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4601319
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4601345
    1
    (…6 more)

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB4565351','KB4601315','KB4601318','KB4601319','KB4601345','KB4601347','KB4601348','KB4601349','KB4601357','KB4601363','KB4601384') }

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
    1
    KB article: https://support.microsoft.com/help/4601315
    1
    KB article: https://support.microsoft.com/help/4601318
    1
    KB article: https://support.microsoft.com/help/4601319
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-1472
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1472

Discovery Credit

Tom Tervoort of Secura, Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2020-1472MSRC AdvisoryKBKB4565351

Related vulnerabilities

CRITICAL8.8

KB5058385: Windows Server 2022 Security Update (May 2025)

CVE-2025-32701

CRITICAL8.8

KB5058392: Windows Server 2019 Security Update (May 2025)

CVE-2025-32701

CRITICAL8.8

KB5004946: Windows Server 2019 / 2022 Security Update (July 2021)

CVE-2021-34527