CVE-2020-15931

HIGH

Netwrix Account Lockout Examiner < 5.1 - Exposure of Sensitive Information via Kerberos Pre-Authentication Event

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-15931. PoCs published by optiv.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2020-15931, which triggers a Kerberos Pre-Authentication Failed event to capture NTLMv1/v2 challenge-response of a domain administrator account in Netwrix Account Lockout Examiner 4.1.

Description

Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a Domain Controller.

Exploits (1)

nomisec WORKING POC 27 stars
by optiv · poc
https://github.com/optiv/CVE-2020-15931

This is a working proof-of-concept exploit for CVE-2020-15931, which triggers a Kerberos Pre-Authentication Failed event to capture NTLMv1/v2 challenge-response of a domain administrator account in Netwrix Account Lockout Examiner 4.1.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Netwrix Account Lockout Examiner 4.1
No auth needed
Prerequisites: Domain name · Domain controller IP · Valid username
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0373
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
netwrix/account_lockout_examiner < 5.1
Published Oct 20, 2020
Tracked Since Feb 18, 2026