Domain Controller Archives

Winsage

August 14, 2025

Microsoft fixes Windows 11 24H2 updates failing with 0x80240069 error

Microsoft resolved an issue affecting the delivery of the August 2025 Windows 11 24H2 cumulative update (KB5063878) via Windows Server Update Services (WSUS), which resulted in error code 0x80240069 during installation. This problem was acknowledged by Microsoft after reports from Windows administrators about the update service terminating unexpectedly. The company indicated that the issue primarily impacts enterprise environments using WSUS, while home users are unlikely to experience it. An automatic solution through Known Issue Rollback (KIR) has been initiated for affected enterprise-managed devices, requiring administrators to install the KIR Group Policy and restart the devices. Users can also manually install the update through Windows Update or the Microsoft Update Catalog. Similar issues had been reported previously, with a comparable problem addressed in May for Windows 11 22H2/23H2 systems.

Winsage

August 11, 2025

‘Win-DDoS’: Researchers unveil botnet technique exploiting Windows domain controllers

SafeBreach researchers have identified several vulnerabilities in Windows environments that could lead to denial of service (DoS) attacks. These include: 1. CVE-2025-26673: A flaw in the Netlogon service that allows remote crashes via crafted Remote Procedure Call (RPC) requests without authentication, potentially locking users out of domain resources until a reboot. 2. CVE-2025-49716: A vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) that enables remote attackers to destabilize the service through specially crafted Lightweight Directory Access Protocol (LDAP) queries, causing immediate DoS. 3. CVE-2025-49722: A DoS vulnerability in the Windows Print Spooler that can be triggered by malformed RPC requests, disrupting printing operations and system stability. Microsoft has addressed some vulnerabilities but has not yet resolved the three identified by SafeBreach, and there has been no response to inquiries about these issues. SafeBreach recommends organizations apply the latest patches, limit exposure of Domain Controller services, segment critical systems, and monitor for unusual LDAP or RPC traffic for early attack detection.

Winsage

August 11, 2025

Silent Cyber Weapon Discovered: Hackers Can Now Turn Your Windows Server into a DDoS Weapon

A new attack method called Win-DDoS can turn publicly accessible Windows domain controllers into a botnet for distributed denial-of-service (DDoS) attacks, as presented by SafeBreach researchers at DEF CON 33. This method exploits vulnerabilities in Windows' Lightweight Directory Access Protocol (LDAP) client code, allowing attackers to redirect traffic from compromised domain controllers to a target server without needing malicious code or stolen credentials. The attack involves initiating an RPC request to the DCs, connecting them to the attacker's CLDAP server, and receiving a referral list that directs traffic to a single IP and port, overwhelming the victim's resources. Microsoft has issued patches for four related vulnerabilities: CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, and CVE-2025-49722, which can allow unauthenticated attackers to crash domain controllers or disrupt internal systems. SafeBreach warns that enterprise security models often underestimate the risks of denial-of-service attacks on internal infrastructure. Organizations are urged to audit domain controller exposure, apply security patches, and reassess the safety of their internal networks.

Winsage

August 11, 2025

Win-DoS Epidemic: New DoS and DDoS Attacks Start with Microsoft Windows

During DEF CON 33, Yair and Shahak Morag from SafeBreach Labs introduced a new category of denial-of-service (DoS) attacks called the “Win-DoS Epidemic.” They identified four significant Windows DoS vulnerabilities, all categorized as “uncontrolled resource consumption,” including: - CVE-2025-26673 (CVSS 7.5): High-severity DoS vulnerability in Windows LDAP. - CVE-2025-32724 (CVSS 7.5): High-severity DoS vulnerability in Windows LSASS. - CVE-2025-49716 (CVSS 7.5): High-severity DoS vulnerability in Windows Netlogon. - CVE-2025-49722 (CVSS 5.7): Medium-severity DoS vulnerability in the Windows print spooler, requiring an authenticated attacker on an adjacent network. These vulnerabilities can incapacitate Windows endpoints and servers, including domain controllers (DCs), which are essential for managing authentication and resources in enterprise networks. The researchers also revealed a new DDoS attack method, termed Win-DDoS, which exploits a flaw in the Windows LDAP client referral process, allowing attackers to redirect DCs to a victim server and continuously repeat this redirection, creating a large-scale DDoS botnet using public DCs without leaving forensic traces.

Winsage

July 17, 2025

Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation

A design flaw in Microsoft’s Windows Server 2025, known as “Golden dMSA,” allows attackers to bypass authentication and generate passwords for all managed service accounts across enterprise networks. This vulnerability exploits a weakness in delegated Managed Service Accounts (dMSAs), reducing cryptographic protections to a brute-force attack requiring only 1,024 attempts. Discovered by Semperis Security Researcher Adi Malyanker, the attack involves extracting cryptographic material from the Key Distribution Services (KDS) root key, enumerating dMSA accounts, guessing ManagedPasswordId attributes, and generating passwords. The KDS root keys do not expire, potentially granting indefinite access. The vulnerability is classified as moderate risk, requiring possession of a KDS root key, accessible only to privileged accounts. Detection of the attack is challenging, as no security events are logged by default when KDS root keys are compromised. Microsoft acknowledged the vulnerability on May 27, 2025, and stated that the features were not intended to protect against domain controller compromises.

Winsage

July 9, 2025

July Patch Tuesday: 14 critical Microsoft vulnerabilities, one SAP hole rated at 10 in severity

Microsoft has released a patch for CVE-2025-47978, a denial-of-service vulnerability in the Netlogon protocol, which affects Windows domain controllers. Named NOTLogon, this vulnerability allows low-privilege domain-joined machines to crash the domain controller with a crafted authentication request, leading to a complete reboot. It has a CVSS score of 6.5. Security researcher Dor Segal warned that such vulnerabilities can severely disrupt Active Directory operations. Additionally, Tenable's Satnam Narang urged CSOs to address CVE-2025-5777, known as CitrixBleed 2, which allows attackers to steal session tokens from Citrix NetScaler systems, potentially granting unauthorized network access even after patches are applied. Organizations are advised to review logs for suspicious activity and invalidate session tokens to prevent further exploitation.

Winsage

July 8, 2025

Silverfort uncovers critical Netlogon flaw affecting Windows domain controllers

A vulnerability identified as “NOTLogon” (CVE-2025-47978) has been discovered in Microsoft Corp.'s Netlogon protocol, allowing low-privilege machines to remotely crash Windows domain controllers, disrupting Active Directory services. This flaw arises from issues in the Network Ticket Logon feature introduced in late 2024, specifically in the NetrLogonSamLogonEx RPC call processing malformed inputs in the AdditionalTicket buffer. An empty or improperly formatted ticket can crash the domain controller’s LSASS process, leading to a system reboot. The vulnerability does not grant elevated privileges or allow credential theft but can cause denial-of-service attacks that halt user logins and restrict access to enterprise systems. The discovery utilized AI-assisted techniques to analyze differences in Netlogon specifications. Organizations are advised to apply the July 2025 security update, audit machine account usage, restrict machine account creation, and segment network access to protect domain controllers.

Winsage

June 12, 2025

Microsoft Patched Windows Server 2025 Restart Bug that Disconnects AD Domain Controller

Microsoft has released a patch, KB5060842, on June 10, 2025, to address a vulnerability in Windows Server 2025 that affected Active Directory Domain Controllers' ability to manage network traffic after system restarts. This issue stemmed from the improper initialization of domain firewall profiles during startup, leading to service interruptions and authentication failures. The patch corrects the initialization sequence of these profiles, ensuring proper network traffic management post-restart. Organizations using Windows Server 2025 are advised to implement this update to maintain the reliability of their Active Directory services.

Winsage

June 11, 2025

Microsoft fixes unreachable Windows Server domain controllers

Microsoft addressed a significant issue with Windows Server 2025 domain controllers that made some servers unreachable after a restart, affecting applications and services reliant on them. The problem was due to servers loading the standard firewall profile instead of the intended domain firewall profile after a reboot, leading to improper network traffic management. This misconfiguration caused accessibility challenges for services and applications on affected servers. Microsoft released the KB5060842 security update to resolve this issue during the June 2025 Patch Tuesday. A temporary workaround involves manually restarting the network adapter on affected servers using the Restart-NetAdapter * PowerShell command, which must be done after each reboot until the update is installed. Additionally, Microsoft fixed another issue preventing some users from logging into accounts via Windows Hello after the installation of the KB5055523 April 2025 security update.

Winsage

May 29, 2025

Securing Windows Endpoints in 2025 Enterprise Environments

In 2025, 61% of organizations worldwide have adopted Zero Trust initiatives, up from 24% in 2021. Microsoft's Zero Trust framework centralizes security policy enforcement through the cloud, with integrated solutions like Microsoft Defender for Endpoint. AI is now a critical component of endpoint security, enabling systems to detect irregularities and autonomously isolate compromised devices. Microsoft introduced Quick Machine Recovery (QMR) to allow IT administrators to fix unbootable PCs remotely. Windows Server 2025 features enhanced security measures, including advanced algorithms and a customized security baseline with over 350 preconfigured settings. Additionally, 75% of organizations are consolidating security vendors, favoring comprehensive platforms like SentinelOne Singularity and Microsoft Defender XDR. Windows Defender Application Control (WDAC) has been enhanced to better regulate application usage, with Microsoft promoting its adoption over AppLocker.