Microsoft has announced that attackers have started to use an exploit that was identified among Windows Server systems. The vulnerability on which the exploit is based has been identified a few months ago and patched by the Redmond giant in August.
Despite the best efforts made by Microsoft, security analysts have stated in the past that tech-savvy users may be able to unravel the patch and reverse-engineer their way to the original flaw, a strategy that would allow them to produce functional exploits that can be used for malevolent purposes.
While Microsoft does release new security updates on a constant basis, many companies prefer to delay the update process to prevent any potential conflicts between the updates and the hardware and software solutions that are vital for the business. As such, many servers are still vulnerable and can be targeted easily by exploits.
CVE-2020-1472, as the vulnerability has been named by Microsft, has received a critical severity rating from the company, which means that attackers can harness it with the need of little to no help from users. The flaw is present across versions of Windows Server released from 2008 to 2019.
Official information notes that the vulnerability can be used by an attacker to gain administrative access to a Windows domain controller, granting the ability to run any application at will without the need for authentication. Compromised domain controllers can also offer direct routes to confidential company files.
Several .NET executable files which feature the filename SharpZeroLogon.exe have found their way to a popular service where users can upload files and have them scanned by several antiviruses at the same time, inferring that that exploits are being developed at a fast pace.
Companies and governments are encouraged to install the patch for the vulnerability as fast as possible, as malicious campaigns could surface in the following weeks.