A recent report from Silverfort Inc., a company specializing in unified identity security, has unveiled a significant denial-of-service vulnerability within Microsoft Corp.’s Netlogon protocol. This flaw, identified as “NOTLogon” and assigned the identifier CVE-2025-47978, poses a risk of allowing low-privilege machines to remotely crash Windows domain controllers, thereby disrupting essential Active Directory services.
Details of the Vulnerability
Netlogon plays a crucial role in Windows domain-based networks, facilitating secure channel authentication and pass-through credential validation. The vulnerability stems from issues in a newly introduced authentication feature known as Network Ticket Logon, which was rolled out in late 2024. Specifically, the problem lies in the way the NetrLogonSamLogonEx RPC call processes malformed inputs within the AdditionalTicket buffer of a Kerberos ticket logon structure. Silverfort’s research indicates that an empty or improperly formatted ticket can lead to a crash of the domain controller’s LSASS process, resulting in a complete system reboot.
While NOTLogon does not enable attackers to gain elevated privileges or steal credentials, it can facilitate a highly disruptive denial-of-service attack by targeting a fundamental security process. This could halt user logins, impede policy enforcement, and restrict access to critical enterprise systems. Notably, the attack requires no elevated permissions—only basic network access and a valid machine account, which many low-privileged users can create by default in Active Directory environments.
Discovery Through AI Innovation
The method of discovery for this vulnerability is particularly intriguing, as it involved the use of artificial intelligence. Silverfort’s researchers employed a novel AI-assisted technique that utilized large language models to analyze differences between older and newer versions of Microsoft’s Netlogon specifications. This innovative approach led them to scrutinize the new ticket-handling flow, ultimately revealing that passing a malformed ticket to a domain controller could result in a complete crash.
To address this security threat, Silverfort strongly recommends that organizations apply the July 2025 security update from Microsoft if they have not already done so. Furthermore, enterprises are advised to audit their machine account usage, restrict the ability to create machine accounts, and segment network access to safeguard domain controllers from potentially compromised workstations.
