Microsoft announced that it is seeing exploit of Zerologin being used in the wild. (Photo by Smith Collection/Gado/Getty Images)

Two days after bug hunters and threat intelligence analysts sounded the alarm over Zerologon, Microsoft said hacking groups are using the privilege escalation vulnerability against Windows server operating systems in the wild.

Analysts warned Tuesday that the exploit would likely show up in open source hacking tools and be used in attacks.

“Microsoft is actively tracking threat actor activity using exploits for [Zerologon]. We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft’s Security Intelligence branch announced Sept. 23 on Twitter while also publishing a related sample Indicator of Compromise.

SC Media has reached out to Microsoft for more details and will update this piece with any response.

While security practitioners are often inundated with bugs that need patching or fixing, there was reason to prioritize this particular weakness. Apart from being rated “critical,” multiple firms – including Secura, which first identified the vulnerability – have already developed proof of concept code. Security researchers were also able to easily add it to existing open source hacking tools and make modifications that made it cheaper and easier for malicious hackers to use against companies.

Civilian federal agencies were ordered to immediately patch their systems due to the public availability of the malicious code, the prevalence of such domain controllers across federal agencies (not to mention the private sector), the “high potential for compromise” and the “the grave impact of a successful compromise.”

All the analysis pointed to the same advice to security practitioners: don’t waste a lot of time trying to detect this flaw. Patch everything and patch it now.

“Due to the availability of exploit code and the high impact of successful exploitation, real world attacks are expected in the immediate future,” security firm eSentire warned its customers this week. “Successful exploitation could lead to elevated privileges (such as domain administrator), making this exploit highly valuable for adversaries with a foothold inside of networks.”