When it was initially fixed by Microsoft as part of its regular Patch Tuesday update in August 2020, Zerologon (CVE-2020-1472) received limited attention. But, by the end of the year, it was the focus of several government alerts and had been adopted by threat actors of various motivations and capabilities. One year on, it is arguably one of the top-exploited vulnerabilities of 2020, as evidenced by this recent joint cybersecurity alert from international government agencies.
Claire Tills, senior research engineer with Tenable’s Security Response Team has analysed the significant moments in Zerologon’s timeline offering the following observations:
“In a year of headline-making vulnerabilities and incidents, Zerologon (CVE-2020-1472) stands out due to its widespread adoption by threat actors and it’s checkered disclosure timeline.
“The summer of 2020 was an exhaustingly busy few months in the cybersecurity sector. Just in the scheduled, recurring security releases from Oracle, Microsoft and Adobe, over 800 vulnerabilities were added to prioritisation queues between July 14 and September 10, 2020.
“Microsoft itself patched 120 CVEs in August, including Zerologon, rating the vulnerability ‘Critical’ and scoring it 8.8, stating that exploitation was ‘less likely.’ However, and the timeline is a little sketchy, later that day Microsoft updated its guide re-scoring Zerologon as 10.0 with exploitation ‘more likely.’ This could be the reason it received limited mention in most Patch Tuesday analyses.
“Defenders rely on accurate, timely information from vendors in order to make effective prioritisation decisions. The less information they receive or the more inaccurate it is, the harder it gets for the industry to defend from attackers.”
Claire has published her full analysis of Zerologon in a blog post. A more detailed overview of the 2020 vulnerability season, and how Zerologon fits into the larger security landscape, are covered in Tenable’s Threat Landscape Retrospective report.