Many organizations rely on Microsoft Active Directory (AD) as a core component of their IT infrastructure. AD is a directory service that stores information about user accounts and network resources. Additionally, it provides authentication and authorization services. In 2020, security researcher Tom Tervoort disclosed a critical vulnerability known as Zerologon (CVE-2020-1472). The vulnerability allowed attackers to obtain domain administrator privileges without prior authentication by exploiting a flaw in the Windows Netlogon Remote Protocol, potentially leading to the complete compromise of an AD domain. Microsoft subsequently released two security updates to mitigate the issue.
However, researchers from Ruhr-University Bochum have now found that the patches are insufficient to fully remediate the vulnerability. In their paper, “Onelogon: Taking over Active Directory Accounts via Netlogon,” (Alexander Neff, Tobias Holl, Kevin Borgolte) they demonstrate that attackers can gain control of some AD domains in just 33 minutes through two distinct methods, potentially allowing attakers to take over the entire domain. The root cause is, just as for Zerologon, the improper use of AES-CFB8 encryption in the Netlogon protocol.
Onelogon: A New Threat
Onelogon is a novel attack vector that can bypass Microsoft’s implemented security measures. The researchers have developed two variants of Onelogon, both of which can enable attackers to take over AD accounts in specific cases, up to gaining control over the entire AD domain in under 40 minutes. The vulnerability stems from a cryptographic flaw in the Netlogon protocol that was not adequately addressed by the Zerologon patches.
Responsible Disclosure
The researchers responsibly disclosed their findings to Microsoft in December 2025 to allow the vendor time to address the vulnerability through patches or updated documentation on how to detect and mitigate the attacks. Unfortunately, Microsoft has yet to provide additional patches or detailed guidance. To give AD domain administrators and operators the chance to identify vulnerable systems and remediate the vulnerability themselves, the researchers have made their prototype implementation available as open source.
Recommendations and Mitigation Measures
The researchers provide practical recommendations for organizations to protect themselves from these attacks. This includes addressing the vulnerability at its root cause and implementing measures to enhance network security without compromising compatibility with legacy systems. Administrators can also use tools to detect ongoing and successful attacks.
https://softsec.link/woot26.onelogon
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.