Scroll Top

New Windows Vulnerability aka Zombie Users

According to Kerberos Researchers at Aorato,  a disabled account in Windows’ network does not take effect immediately.

In fact, due to design considerations disabled accounts – and the same goes for deleted, expired and locked-out accounts – effectively remain valid up to 10 hours after they had supposedly been revoked.

The consequence? So-called disabled accounts expose the corporation to advanced attackers seeking to gain access to the corporate network. Unfortunately, traditional security measures, such as logs and SIEM products – which we rely upon to alert on such misuse – do not have the proper visibility to contain this type of threat.

Aorato named these supposedly “dead” (i.e. deleted/disabled) users who are actually still very much alive as “Zombie Users”.

According to Aorato, “Zombie Users” pose a very prevalent threat for the security of the enterprise. In the current employment market, many companies suffer from a very high employee turnover rate. In fact, in some Fortune 500 companies the median employee tenure is less than a year, which means that half of their workforce is replaced within a year’s time. All of these leaving employees must have their user account disabled and therefore each of them is a potential Zombie User. Combining this stat with the fact that 95% of Fortune 1000 companies use Windows’ based networks, yields a very ample attack surface for Zombie Users.

Read More at:


Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.