Archived Content

In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
Blog

Windows Server Vulnerability Requires Immediate Attention

Released
Revised

Author: Bryan Ware, Assistant Director 

One of the most important things you can do for your cybersecurity is to update your software - and if your network relies on Microsoft Windows Active Directory, a critical vulnerability exists that requires your attention.

This afternoon, CISA issued Emergency Directive 20-04, which instructs the Federal Civilian Executive Branch agencies to apply August 2020 security update (CVE-2020-1472) for Microsoft’s Windows Servers to all domain controllers. The update fixes a recently discovered flaw in Windows Netlogon Remote Protocol that could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. 

While agencies are responsible for managing risk to their networks, CISA is responsible for safeguarding and securing the Federal enterprise. We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary. Left unpatched, this vulnerability could allow attackers to compromise network identity services. We have directed agencies to implement the patch across their infrastructure by Monday, September 21, and given instructions for which of their many systems to prioritize. 

CISA will provide assistance and resources to guide agencies with completing required actions. The investments in the Continuous Diagnostics and Mitigation Program will pay dividends as it will help federal agencies with mature implementation to identify where unpatched servers reside and track patching progress. For additional support, our state and local government partners are encouraged to contact the Multi-State-Information Sharing and Analysis Center (MS-ISAC) at soc@cisecurity.org

Though this directive applies to Executive Branch agencies, we strongly urge our partners in State and local government, the private sector, and the American public to apply this security update as soon as possible. If enterprises cannot immediately apply the update, we urge them to remove relevant domain controllers from their networks. We have published an Activity Alert with information about our directive, as well as resources to help critical infrastructure protect their networks. We’d also like to acknowledge the efforts of our partners at Microsoft in working to ensure the security of their products. 

Go get patching!