CVE-2025-49716 addresses a Denial-of-Service vulnerability where remote unauthenticated users could make a series of Netlogon-based Remote Procedure Calls (RPC) that eventually consume all memory on a Domain Controller (DC).

The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains. This update protects Windows devices from CVE-2022-38023 by default.

To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers (RODC). To learn more about the vulnerability, see CVE-2020-1472.

Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.

Fixes a problem that generates NetLogon 3210 events. Occurs after the Managed Service Account (MSA) renews its password in Windows 7 SP1 and Windows Server 2008 R2 SP1.

[Microsoft RPC Netlogon protocol] This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests.

Fixes an issue in which NetLogon 3210 events are generated after the MSA renews its password in Windows Server 2012 R2.

To resolve the issue, use one or more of the following methods: Install the following hotfix, and then follow the steps that are described in the "Registry information" section.

This security update resolves a vulnerability in Windows that could allow elevation of privilege if an attacker who has access to a primary domain controller (PDC) on a target network runs a specially crafted application to establish a secure channel to the PDC as a backup domain controller (BDC).

To do this, open Event Viewer by selecting Start, type event viewer and select it. Once Event Viewer opens, expand Windows Logs, right click or long press on System and select Save All Events As... and save the file somewhere to allow processing of the file. The script can process more than one EVTX file at a time if you would like.