NOTLogon vulnerability
In a significant development for cybersecurity, Microsoft has rolled out a patch addressing CVE-2025-47978, a denial-of-service (DoS) vulnerability linked to the Netlogon protocol, which serves as a fundamental component for all Windows domain controllers. This vulnerability, aptly named NOTLogon by Dor Segal, a senior security researcher at Silverfort, allows any domain-joined machine with minimal privileges to issue a specially crafted authentication request. The result is a crash of the domain controller, leading to a complete reboot. This vulnerability has been assigned a CVSS score of 6.5, indicating a moderate level of risk.
Segal emphasized the potential dangers posed by low-privilege machines in a recent blog post. “Even low-privilege machines with basic network access can pose major risks if left unchecked,” he noted. “This vulnerability illustrates how a valid machine account, coupled with a crafted RPC message, can incapacitate a domain controller—the very backbone of Active Directory operations, including authentication, authorization, and policy enforcement. If multiple domain controllers are compromised, the repercussions could halt business operations entirely. NOTLogon serves as a crucial reminder that new features in protocols, particularly within privileged authentication services, can unexpectedly become attack vectors. Ensuring security extends beyond merely applying patches; it necessitates a thorough examination of the foundational systems we depend on daily.”
In a related note, Tenable’s Satnam Narang, a senior staff research engineer, urged Chief Security Officers (CSOs) to prioritize the remediation of recently disclosed vulnerabilities in Citrix NetScaler, specifically CVE-2025-5777, commonly referred to as CitrixBleed 2. “It bears a striking resemblance to the original CitrixBleed,” he remarked in an email to CSO, “where attackers can pilfer session tokens from NetScaler systems and exploit them to gain unauthorized access to networks, even in instances where patches have been applied.” Narang highlighted that reports of CitrixBleed 2 exploitation date back to mid-June, prompting organizations that utilize NetScaler to meticulously review logs for rapid sequences of suspicious requests and known indicators of compromise. Most critically, he advised invalidating session tokens to thwart any potential follow-on activity.
