
Critical Security Flaw Discovered in Microsoft Protocol
A new report by Silverfort Inc. has unveiled a troubling denial-of-service vulnerability within Microsoft’s Netlogon protocol, known as NOTLogon. This flaw could allow low-privileged machines to remotely crash Windows domain controllers, consequently jeopardizing essential Active Directory services. The vulnerability, classified as CVE-2025-47978, was addressed by Microsoft in its July 2025 Patch Tuesday update.
Understanding NOTLogon: How It Operates and Risks Involved
At the heart of the vulnerability is a flaw in handling the Network Ticket Logon, a feature introduced in late 2024. Specifically, Silverfort's researchers discovered that the NetrLogonSamLogonEx RPC call mishandles malformed inputs within the AdditionalTicket buffer of a Kerberos ticket logon structure. Even a malformed or empty ticket can crash the domain controller’s LSASS process, leading to extensive system reboots.
How Attackers Can Exploit NOTLogon
Though NOTLogon does not enable privilege elevation or credential theft, it poses a significant threat by facilitating denial-of-service attacks that can halt user logins and disrupt critical enterprise operations. Notably, attackers need not possess elevated permissions—merely basic network access along with a valid machine account suffices. In many Active Directory environments, such permissions are routinely granted to low-privileged users.
AI-Powered Discovery: The Future of Vulnerability Research
The methodology behind NOTLogon’s discovery is noteworthy in itself; artificial intelligence played a transformative role in identifying this security issue. Silverfort’s team utilized AI-assisted techniques involving large language models to analyze variations in Microsoft’s Netlogon specifications across different implementations. This innovative approach guided them to investigate the newly introduced ticket handling protocol, leading to the revelation that a malformed ticket could completely incapacitate the domain controller.
Taking Action: Mitigation Strategies for Organizations
In light of the serious implications posed by this vulnerability, Silverfort strongly advises organizations to promptly apply Microsoft’s July 2025 security update. Furthermore, businesses are urged to reassess their machine account policies, including restricting who can create accounts and segmenting network access more effectively to protect domain controllers from potential threats.
As businesses increasingly rely on digital infrastructure, understanding and managing these vulnerabilities will be crucial. By embracing proactive security measures and integrating AI tools into their systems, organizations can not only mitigate risks but also enhance their overall cybersecurity posture.
Write A Comment