A new report out today from unified identity security company Silverfort Inc. details a previously undisclosed denial-of-service vulnerability in Microsoft Corp.’s Netlogon protocol that could allow low-privilege machines to crash Windows domain controllers remotely, disrupting core Active Directory services.
The vulnerability, dubbed “NOTLogon,” has been assigned CVE-2025-47978 and was patched by Microsoft in its July 8 Patch Tuesday update.
Netlogon is a central component of Windows domain-based networks that is responsible for handling secure channel authentication and pass-through credential validation. The vulnerability comes about from flaws in the handling of a new authentication feature called Network Ticket Logon that was introduced in late 2024.
The vulnerability specifically arises from how the NetrLogonSamLogonEx RPC call processes malformed inputs in the AdditionalTicket buffer of a Kerberos ticket logon structure. Silverfort researchers found that an empty or malformed ticket can cause the domain controller’s LSASS process to crash, triggering a full system reboot.
NOTLogon does not allow attackers to elevate privileges or steal credentials, but instead can be used to deliver a highly disruptive denial-of-service attack by targeting a core security process, halting user logins, policy enforcement and access to critical enterprise systems. According to Silverfort, the attack requires no elevated permissions — only basic network access and a valid machine account, which many low-privileged users are allowed to create by default in Active Directory environments.
How the vulnerability was discovered could perhaps even be worthy of an article by itself: artificial intelligence. The researchers discovered NOTLogon by a novel AI-assisted method that involved using large language models to compare differences between older and newer versions of Microsoft’s Netlogon specifications and implementation changes. The AI then led the researchers to investigate the new ticket-handling flow, with experiments subsequently revealing that passing a malformed ticket to a domain controller could crash it entirely.
To mitigate the threat, Silverfort is urging organizations to immediately apply the July 2025 security update from Microsoft if they haven’t done so already. Additionally, enterprises are being advised to audit machine account usage, limit who can create machine accounts and segment network access to protect domain controllers from potentially compromised workstations.
Image: News/Reve
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
News Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of News, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — News Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
