Netlogon DoS in active directory: are your controls ready?

TL;DR: A denial-of-service flaw in Microsoft’s Netlogon protocol lets a low-privileged, domain-joined machine crash a domain controller through a malformed authentication request, disrupting logins, policy application, and other AD-dependent services, according to Silverfort. The issue shows that availability failures in core identity services can become enterprise-wide outages when machine-account trust and protocol validation are weak.

NHIMG editorial — based on content published by Silverfort: the Netlogon denial-of-service vulnerability in Microsoft Active Directory

Questions worth separating out

Q: What breaks when a low-privileged machine account can reach Netlogon?

A: A low-privileged machine account can become a path into a privileged authentication service.

Q: Why do domain controller vulnerabilities create broader identity risk than server bugs?

A: Domain controllers sit on the critical path for authentication, authorisation, and policy enforcement.

Q: How do security teams reduce the blast radius of machine-account abuse?

A: They narrow who can create or use machine accounts, segment traffic to domain controllers, and monitor RPC activity that should never originate from ordinary endpoints.

Practitioner guidance

• Patch all domain controllers immediately Deploy the July 8, 2025 update that addresses CVE-2025-47978 across every domain controller, then verify that the fix is present in all sites and recovery clusters.
• Restrict machine-account creation Reduce or remove default permissions that let ordinary users create machine accounts, and review every delegated path that can bind a low-privilege identity to Netlogon.
• Limit Netlogon reachability Segment domain controllers so only required systems can initiate Netlogon RPC flows, and log any unexpected source that attempts authentication broker traffic.

What's in the full article

Silverfort's full analysis covers the protocol-level detail this post intentionally leaves for the source:

• The exact Netlogon request structure used to trigger the failure path in LSASS.
• The MS-NRPC fields and buffer-handling ambiguity that made the crash reachable.
• The patch reference for CVE-2025-47978 and the deployment context for domain controllers.
• The author’s broader research workflow, including how LLMs were used to surface the flaw.

👉 Read Silverfort's analysis of the Netlogon DoS vulnerability in Active Directory →

Netlogon DoS in active directory: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →