{ "id": "5bc55987-8e17-4593-84c7-0d9db7fe7d5f", "created_at": "2026-04-06T00:19:05.206873Z", "updated_at": "2026-04-10T13:12:10.244307Z", "deleted_at": null, "sha1_hash": "eadacc1a4693f2d755603e8e7bcf862b4eec2245", "title": "CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 274540, "plain_text": "CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon\r\nVulnerability In Exploit Chain with Unpatched Vulnerabilities\r\nBy Satnam Narang\r\nPublished: 2020-10-12 · Archived: 2026-04-05 15:35:07 UTC\r\nU.S. Government agencies issue joint cybersecurity advisory cautioning that advanced threat groups are chaining\r\nvulnerabilities together to gain entry into government networks and elevate privileges.\r\nUpdate October 13, 2020: The Identifying affected systems section has been updated to include details about the\r\navailability of a Zerologon scan template for Tenable.io, Tenable.sc and Nessus.\r\nBackground\r\nOn October 9, the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation\r\n(FBI) published a joint cybersecurity advisory. The advisory, identified as Alert AA20-283A, provides insight into\r\nadvanced persistent threat (APT) actors’ activity against networks associated with federal and state, local, tribal,\r\nand territorial (SLTT) governments. The alert details how APT actors are using vulnerability chaining or exploit\r\nchaining, incorporating a recently disclosed elevation of privilege vulnerability in their attacks.\r\nThe following is a list of vulnerabilities referenced in the CISA/FBI joint cybersecurity alert:\r\nCVE Vendor/Product CVSSv3 Tenable VPR* Disclosed\r\nCVE-2019-11510 Pulse Connect Secure SSL VPN 10.0 10.0 Apr 2019\r\nCVE-2018-13379 Fortinet FortiOS SSL VPN 9.8 9.8 May 2019\r\nCVE-2019-19781 Citrix Netscaler 9.8 9.9 Dec 2019\r\nCVE-2020-1631 Juniper Junos OS 9.8 6.7 Apr 2020\r\nCVE-2020-2021 Palo Alto Networks PAN-OS 10.0 10.0 Jun 2020\r\nCVE-2020-5902 F5 BIG-IP 9.8 9.9 Jul 2020\r\nCVE-2020-15505 MobileIron 9.8 9.5 Jul 2020\r\nCVE-2020-1472 Microsoft Netlogon 10.0 10.0 Aug 2020\r\n*Please note Tenable VPR scores are calculated nightly. This blog post was published on October 12 and reflects\r\nVPR at that time.\r\nAnalysis\r\nhttps://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nPage 1 of 6\n\nInitial access gained through SSL VPN vulnerability\r\nAccording to the CISA/FBI alert, the APT actors are “predominantly” using CVE-2018-13379 to gain initial\r\naccess to target environments.\r\nCVE-2018-13379 is a path traversal vulnerability in Fortinet’s FortiOS Secure Socket Layer (SSL) virtual private\r\nnetwork (VPN) solution. It was patched by Fortinet in April 2019. However, it wasn’t until after exploitation\r\ndetails were made public in August 2019 that reports emerged of attackers exploiting it in the wild.\r\nIn addition to the Fortinet vulnerability being used to gain initial access, CISA/FBI have also observed “to a lesser\r\nextent,” APT actors using CVE-2020-15505, a remote code execution vulnerability in MobileIron’s Core and\r\nConnector.\r\nPost exploitation elevation of privilege using Zerologon\r\nOnce the APT actors have gained an initial foothold into their target environments, they are elevating privileges\r\nusing CVE-2020-1472, a critical elevation of privilege vulnerability in Microsoft’s Netlogon. Dubbed\r\n“Zerologon,” the vulnerability has gained notoriety after it was initially patched in Microsoft’s August Patch\r\nTuesday release.\r\nOn September 18, CISA issued Emergency Directive 20-04 in an effort to ensure Federal Civilian Executive\r\nBranch systems were patched against the vulnerability.\r\nZerologon observed as part of attacks in the wild\r\nOn September 23, Microsoft’s Security Intelligence team tweeted that they had observed the Zerologon exploits\r\nbeing “incorporated into attacker playbooks” as part of threat actor activity.\r\nIn a follow-up tweet on October 6, Microsoft’s Security Intelligence team noted a new campaign leveraging CVE-2020-1472 originating from a threat actor known as CHIMBORAZO, also known as TA505, a financially\r\nmotivated nation-state actor.\r\nCISA/FBI warn of additional vulnerabilities being targeted for initial access\r\nIn addition to the Fortinet and MobileIron vulnerabilities identified in recent campaigns, the CISA/FBI alert also\r\nwarns that these APT threat actors may also leverage one of the following vulnerabilities to gain entry into their\r\ntargeted networks:\r\nCVE-2019-11510 is an arbitrary file disclosure vulnerability in Pulse Connect Secure SSL VPN\r\nCVE-2019-19781 is a path traversal vulnerability in Citrix Application Delivery Controller (ADC), Citrix\r\nGateway and Citrix SD-WAN WANOP appliances\r\nCVE-2020-1631 is a local file inclusion (LFI) vulnerability in Juniper’s Junos OS HTTP/HTTPS service\r\nCVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language\r\n(SAML) authentication in PAN-OS when certain prerequisites are met\r\nCVE-2020-5902 is a path traversal vulnerability in the traffic management user interface (TMUI) in F5’s\r\nBIG-IP application delivery service.\r\nhttps://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nPage 2 of 6\n\nEvergreen vulnerabilities remain popular amongst threat actors\r\nMany of the vulnerabilities referenced in this joint alert from CISA/FBI have become evergreen flaws for threat\r\nactors. As part of CISA’s Top 10 Routinely Exploited Vulnerabilities alert, they reference both the Pulse Secure\r\nand Citrix ADC vulnerabilities.\r\nIn September, CISA issued two separate alerts (AA20-258A, AA20-259A) that highlight how APT actors from\r\nChina and Iran are targeting unpatched vulnerabilities in Pulse Connect Secure, Citrix ADC, and F5’s BIG-IP.\r\nElections support systems accessed, yet elections data integrity intact\r\nIn Alert AA20-283A, CISA mentions that they observed activity that “resulted in unauthorized access to elections\r\nsupport systems.” However, they also mention that despite said unauthorized access, they have no evidence to\r\nsupport that the “integrity of elections data has been compromised.”\r\nZerologon needs to be patched immediately\r\nWith the latest alert from CISA and the FBI, coupled with reporting from other vendors, it seems clear that\r\nZerologon is becoming one of the most critical vulnerabilities of 2020.\r\nProof of concept\r\nA number of proofs-of-concept (PoC) and exploit scripts were made available soon after these vulnerabilities were\r\npublicly disclosed. The following is a subset of some of the PoCs and exploit scripts:\r\nCVE Source URL\r\nCVE-2018-13379 GitHub\r\nCVE-2018-13379 GitHub\r\nCVE-2018-13379 GitHub\r\nCVE-2019-11510 GitHub\r\nCVE-2019-11510 GitHub\r\nCVE-2019-11510 GitHub\r\nCVE-2019-19781 GitHub\r\nCVE-2019-19781 GitHub\r\nCVE-2019-19781 GitHub\r\nCVE-2020-5902 GitHub\r\nCVE-2020-5902 GitHub\r\nCVE-2020-5902 GitHub\r\nhttps://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nPage 3 of 6\n\nCVE Source URL\r\nCVE-2020-15505 GitHub\r\nCVE-2020-1472 GitHub\r\nCVE-2020-1472 GitHub\r\nCVE-2020-1472 GitHub\r\nSolution\r\nPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the\r\nFBI. Most of the vulnerabilities had patches available for them following their disclosure, with the exception of\r\nCVE-2019-19781, which received patches a month after it was originally disclosed.\r\nPlease refer to the individual advisories below for further details.\r\nCVE Patch Information\r\nCVE-2019-\r\n11510\r\nSA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse\r\nConnect Secure / Pulse Policy Secure 9.0RX\r\nCVE-2018-\r\n13379\r\nFG-IR-18-384: FortiOS system file leak through SSL VPN via specially crafted HTTP\r\nresource requests\r\nCVE-2019-\r\n19781\r\nVulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN\r\nWANOP appliance\r\nCVE-2020-\r\n1631\r\n2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web\r\nbased (HTTP/HTTPS) services\r\nCVE-2020-\r\n2021\r\nPAN-OS: Authentication Bypass in SAML Authentication\r\nCVE-2020-\r\n5902\r\nK52145254: TMUI RCE vulnerability CVE-2020-5902\r\nCVE-2020-\r\n15505\r\nJuly 2020: MobileIron Security Updates Available\r\nCVE-2020-\r\n1472\r\nNetlogon Elevation of Privilege Vulnerability\r\nIdentifying affected systems\r\nA list of Tenable plugins to identify these vulnerabilities can be found here:\r\nhttps://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nPage 4 of 6\n\nCVE-2019-11510\r\nCVE-2018-13379\r\nCVE-2019-19781\r\nCVE-2020-1631\r\nCVE-2020-2021\r\nCVE-2020-5902\r\nCVE-2020-15505\r\nCVE-2020-1472\r\nAll CVEs combined\r\nTenable.io, Tenable.sc and Nessus users can use a new scan template dedicated to targeting Zerologon. Plugin\r\n140657 and its dependencies are automatically enabled within the template, and it also comes with the required\r\nsettings automatically configured.\r\nJoin Tenable's Security Response Team on the Tenable Community.\r\nLearn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack\r\nsurface.\r\nGet a free 30-day trial of Tenable.io Vulnerability Management.\r\nhttps://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nPage 5 of 6\n\nSatnam Narang\r\nSenior Staff Research Engineer, Security Response\r\nSatnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He\r\ncontributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National\r\nCyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on\r\nTinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why\r\npodcast.\r\nInterests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time\r\nwith his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).\r\nSource: https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nhttps://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain" ], "report_names": [ "cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eadacc1a4693f2d755603e8e7bcf862b4eec2245.pdf", "text": "https://archive.orkl.eu/eadacc1a4693f2d755603e8e7bcf862b4eec2245.txt", "img": "https://archive.orkl.eu/eadacc1a4693f2d755603e8e7bcf862b4eec2245.jpg" } }