Apparently, Zerologon affects Windows’ domain controllers and, if used accordingly by hackers, would enable insidious parties to escalate privileges within a system and, in turn, gain access to other systems and files. It does this by reportedly taking advantage of the Windows Server Netlogon Remote protocol and authentication. In order to record session data of the affected user.
— Cybersecurity and Infrastructure Security Agency (@CISAgov) September 19, 2020 To be clear, Microsoft had been informed about Zerologon back in August and even released a patch to alleviate the flaw specifically for its Windows Server OS. Despite this, CISA is clearly not taking any further chances with the exploit, which explains why it issued the emergency directive in the first place. To that end, the emergency directive will require all agencies to either update all Windows Servers with the domain controller role, or to simply “pull un-updatable systems from the network. It’s an extreme reaction from a government agency, but at the same time, it can also be argued that you wouldn’t want to find yourself on the receiving end of an exploit with the higher severity rating on the Common Vulnerability Scoring System (CVSS). (Source: Hot Hardware, Engadget)
