Domain Controller Archives

Winsage

April 20, 2026

Emergency Update for Windows Server Following Reboot Issues

Microsoft has released emergency updates for various versions of Windows Server due to issues arising from the April 2026 Patch Tuesday security updates. A significant problem was a reboot loop affecting domain controllers caused by crashes of the Local Security Authority Subsystem Service (LSASS), which disrupted authentication services. This issue was especially problematic during the setup of new domain controllers. Additionally, some Windows Server 2025 systems encountered difficulties in installing the security update KB5082063. The out-of-band update (KB5091157) for Windows Server 2025 addresses both the installation failure and the domain controller restart issue. Other updates targeting the domain controller restart problem were released for additional supported Windows Server versions. Microsoft has introduced an out-of-band update for seven versions, including KB5091157 for Windows Server 2025 and KB5091571 for Windows Server, version 23H2. Furthermore, some Windows Server 2025 devices may boot into BitLocker recovery mode after the update, requiring users to enter a BitLocker recovery key.

Winsage

April 20, 2026

Microsoft releases emergency updates to fix Windows Server issues

Microsoft has confirmed that some administrators are experiencing difficulties installing the KB5082063 security update on Windows Server 2025. This month's Patch Tuesday updates have caused certain Windows servers, especially those with domain controller roles, to enter a restart loop due to failures in the Local Security Authority Subsystem Service (LSASS). Microsoft has released emergency out-of-band updates, including KB5091157 for Windows Server 2025, to address both the installation failure and the restart issues. Additionally, some Windows Server 2025 devices may boot into BitLocker recovery mode after installing the KB5082063 update. A bug affecting Windows Server 2019 and Windows Server 2022 that caused unexpected upgrades to Windows Server 2025 has also been resolved. Microsoft has issued various emergency updates throughout the year to address other issues, including a Bluetooth device visibility bug and vulnerabilities in the Routing and Remote Access Service (RRAS).

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.

Winsage

April 3, 2026

Man admits to locking thousands of Windows devices in extortion plot

A former core infrastructure engineer, Daniel Rhyne, admitted to locking Windows administrators out of 254 servers during an extortion attempt against his employer in Somerset County, New Jersey. Rhyne accessed the company's network without authorization from November 9 to November 25, deleting network admin accounts and altering passwords for 13 domain admin accounts and 301 domain user accounts to "TheFr0zenCrew!". He also scheduled tasks to modify passwords for two local admin accounts affecting 3,284 workstations and planned to shut down random servers and workstations in December 2023. On November 25, he sent a ransom email demanding 20 bitcoin, claiming IT administrators were locked out and server backups erased. Forensic investigators found he used a concealed virtual machine to plan his actions. Rhyne was arrested on August 27 and faces charges related to hacking and extortion, with a potential maximum sentence of 15 years in prison.

Winsage

August 14, 2025

Microsoft fixes Windows 11 24H2 updates failing with 0x80240069 error

Microsoft resolved an issue affecting the delivery of the August 2025 Windows 11 24H2 cumulative update (KB5063878) via Windows Server Update Services (WSUS), which resulted in error code 0x80240069 during installation. This problem was acknowledged by Microsoft after reports from Windows administrators about the update service terminating unexpectedly. The company indicated that the issue primarily impacts enterprise environments using WSUS, while home users are unlikely to experience it. An automatic solution through Known Issue Rollback (KIR) has been initiated for affected enterprise-managed devices, requiring administrators to install the KIR Group Policy and restart the devices. Users can also manually install the update through Windows Update or the Microsoft Update Catalog. Similar issues had been reported previously, with a comparable problem addressed in May for Windows 11 22H2/23H2 systems.

Winsage

August 11, 2025

‘Win-DDoS’: Researchers unveil botnet technique exploiting Windows domain controllers

SafeBreach researchers have identified several vulnerabilities in Windows environments that could lead to denial of service (DoS) attacks. These include: 1. CVE-2025-26673: A flaw in the Netlogon service that allows remote crashes via crafted Remote Procedure Call (RPC) requests without authentication, potentially locking users out of domain resources until a reboot. 2. CVE-2025-49716: A vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) that enables remote attackers to destabilize the service through specially crafted Lightweight Directory Access Protocol (LDAP) queries, causing immediate DoS. 3. CVE-2025-49722: A DoS vulnerability in the Windows Print Spooler that can be triggered by malformed RPC requests, disrupting printing operations and system stability. Microsoft has addressed some vulnerabilities but has not yet resolved the three identified by SafeBreach, and there has been no response to inquiries about these issues. SafeBreach recommends organizations apply the latest patches, limit exposure of Domain Controller services, segment critical systems, and monitor for unusual LDAP or RPC traffic for early attack detection.

Winsage

August 11, 2025

Silent Cyber Weapon Discovered: Hackers Can Now Turn Your Windows Server into a DDoS Weapon

A new attack method called Win-DDoS can turn publicly accessible Windows domain controllers into a botnet for distributed denial-of-service (DDoS) attacks, as presented by SafeBreach researchers at DEF CON 33. This method exploits vulnerabilities in Windows' Lightweight Directory Access Protocol (LDAP) client code, allowing attackers to redirect traffic from compromised domain controllers to a target server without needing malicious code or stolen credentials. The attack involves initiating an RPC request to the DCs, connecting them to the attacker's CLDAP server, and receiving a referral list that directs traffic to a single IP and port, overwhelming the victim's resources. Microsoft has issued patches for four related vulnerabilities: CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, and CVE-2025-49722, which can allow unauthenticated attackers to crash domain controllers or disrupt internal systems. SafeBreach warns that enterprise security models often underestimate the risks of denial-of-service attacks on internal infrastructure. Organizations are urged to audit domain controller exposure, apply security patches, and reassess the safety of their internal networks.

Winsage

August 11, 2025

Win-DoS Epidemic: New DoS and DDoS Attacks Start with Microsoft Windows

During DEF CON 33, Yair and Shahak Morag from SafeBreach Labs introduced a new category of denial-of-service (DoS) attacks called the “Win-DoS Epidemic.” They identified four significant Windows DoS vulnerabilities, all categorized as “uncontrolled resource consumption,” including: - CVE-2025-26673 (CVSS 7.5): High-severity DoS vulnerability in Windows LDAP. - CVE-2025-32724 (CVSS 7.5): High-severity DoS vulnerability in Windows LSASS. - CVE-2025-49716 (CVSS 7.5): High-severity DoS vulnerability in Windows Netlogon. - CVE-2025-49722 (CVSS 5.7): Medium-severity DoS vulnerability in the Windows print spooler, requiring an authenticated attacker on an adjacent network. These vulnerabilities can incapacitate Windows endpoints and servers, including domain controllers (DCs), which are essential for managing authentication and resources in enterprise networks. The researchers also revealed a new DDoS attack method, termed Win-DDoS, which exploits a flaw in the Windows LDAP client referral process, allowing attackers to redirect DCs to a victim server and continuously repeat this redirection, creating a large-scale DDoS botnet using public DCs without leaving forensic traces.

Winsage

July 17, 2025

Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation

A design flaw in Microsoft’s Windows Server 2025, known as “Golden dMSA,” allows attackers to bypass authentication and generate passwords for all managed service accounts across enterprise networks. This vulnerability exploits a weakness in delegated Managed Service Accounts (dMSAs), reducing cryptographic protections to a brute-force attack requiring only 1,024 attempts. Discovered by Semperis Security Researcher Adi Malyanker, the attack involves extracting cryptographic material from the Key Distribution Services (KDS) root key, enumerating dMSA accounts, guessing ManagedPasswordId attributes, and generating passwords. The KDS root keys do not expire, potentially granting indefinite access. The vulnerability is classified as moderate risk, requiring possession of a KDS root key, accessible only to privileged accounts. Detection of the attack is challenging, as no security events are logged by default when KDS root keys are compromised. Microsoft acknowledged the vulnerability on May 27, 2025, and stated that the features were not intended to protect against domain controller compromises.

Winsage

July 9, 2025

July Patch Tuesday: 14 critical Microsoft vulnerabilities, one SAP hole rated at 10 in severity

Microsoft has released a patch for CVE-2025-47978, a denial-of-service vulnerability in the Netlogon protocol, which affects Windows domain controllers. Named NOTLogon, this vulnerability allows low-privilege domain-joined machines to crash the domain controller with a crafted authentication request, leading to a complete reboot. It has a CVSS score of 6.5. Security researcher Dor Segal warned that such vulnerabilities can severely disrupt Active Directory operations. Additionally, Tenable's Satnam Narang urged CSOs to address CVE-2025-5777, known as CitrixBleed 2, which allows attackers to steal session tokens from Citrix NetScaler systems, potentially granting unauthorized network access even after patches are applied. Organizations are advised to review logs for suspicious activity and invalidate session tokens to prevent further exploitation.