Zerologon

[2] The vulnerability was first reported to Microsoft by security researcher Tom Tervoort from Secura on 17 August 2020 and dubbed "Zerologon".

[1][3] Zerologon was given a Common Vulnerability Scoring System v3.1 severity ranking of 10 by the U.S. American National Institute of Standards and Technology and a 5.5 by Microsoft.

[4][3] In the penultimate step, the password is set to an empty one, allowing the attacker to follow the normal protocol procedure from this point on.

A less strict one in August 2020 and a later one in February 2021 that enforces signing and encryption for MS-NRPC calls by default, with the ability to allow certain devices to handle legacy support.

[8] In 2020, Zerologon started to be used by sophisticated cyberespionage campaigns of threat groups such as Red Apollo in global attacks against the automotive, engineering and pharmaceutical industry.

[5] Unusually, Zerologon was the subject of an emergency directive from the United States Cybersecurity and Infrastructure Security Agency.

The images shows AES-CFB8 performed on an 16-byte IV concatenated with an 8-byte client challenge using the shared key as the key, resulting in an 8-byte client credential vector.
AES-CFB8 performed on a 16-byte IV concatenated with an 8-byte client challenge using the shared key as the key, resulting in an 8-byte client credential vector.
An image showing how AES-CFB8 performes on an all-zero 16-byte IV concatenated with an all-zero 8-byte nonce using the shared key as the key, resulting in an all-zero 8-byte Netlogon client credential.
AES-CFB8 performed on an all-zero 16-byte IV concatenated with an all-zero 8-byte nonce using the shared key as the key, resulting in an all-zero 8-byte Netlogon client credential.