The Department of Homeland Security is again is reiterating the severity of a vulnerability recently disclosed in Microsoft Windows Netlogon Remote Protocol that could let an attacker with network access completely compromise all Active Directory identity services.

The vulnerability, a privilege escalation flaw that received a 10 out of 10 score on the Common Vulnerability Scoring System (CVSS) v3.0 vulnerability severity scale, was first patched back in August but flew under the radar of many until last week, when Secura, a Dutch security firm, published a paper outlining the vulnerability. Exploit code for the flaw was posted online shortly thereafter.

On Friday, a week after Secura's disclosure, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies - if they haven't already - to update any Windows Servers with the domain controller role with the patch by 11:59 PM EDT tonight. If any controllers can’t be updated, CISA is asking admins to remove them from the network.

The agency is also asking federal agencies to make sure that mitigations are in place to ensure that domain controller servers are updated before connecting them to agency networks.

“In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed,” the agency writes, “These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

The second part of CISA's directive requires Department-level Chief Information Officers (CIOs) of agencies to submit a completion report acknowledging that the vulnerability has been patched. The report asks organizations how many Windows Servers with the Active Directory Domain Controller role the organization is currently overseeing, how many are patched, how many are removed from the network, and how many are unsupported, or end of life, but still on the network.

CISA also wants to make sure each organization has technical controls in place to ensure that any new or previously disconnected domain controllers have the August update before they’re connected again; it also wants to know if organizations ran into any issues patching the flaw.

It’s the fourth Emergency Directive issued by CISA since the agency’s inception and the third so far this year. The other two, for those keeping track, also involved vulnerabilities in Windows operating systems; one that addressed weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client and another that resolved a remote code execution vulnerability in how Windows Server runs the DNS Server role.