Original publish date: August 13, 2025
KB ID: 5066014
In this article:
Summary
CVE-2025-49716 addresses a Denial-of-Service vulnerability where remote unauthenticated users could make a series of Netlogon-based Remote Procedure Calls (RPC) that eventually consume all memory on a Domain Controller (DC). To mitigate this vulnerability, a code change was made in the May 2025 Windows Security Update for Windows Server 2025, and the July 2025 Windows Security Updates for all other Server platforms from Windows Server 2008SP2 to Windows Server 2022, inclusive. This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to the domain controller location.
After this change, some file & print service software can be affected, including Samba. Samba has released an update to accommodate this change. See Samba 4.22.3 - Release Notes for more information.
To accommodate scenarios where affected third party software cannot be updated, we released additional configuration capability in the August 2025 Windows Security Update. This change implements a registry key-based toggle between the default Enforcement Mode, an Audit Mode that will log changes but will not block unauthenticated Netlogon RPC calls, and a Disabled Mode (not recommended.)
Take action
To protect your environment and avoid outages, first update all devices that host the Active Directory domain controller or LDS Server role by installing the latest Windows updates. DCs that have the July 8, 2025 or later Windows Security Updates (or Windows Server 2025 DCs with May updates) are secure-by-default and do not accept unauthenticated Netlogon-based RPC calls by default. DCs that have the August 12, 2025 or later Windows Security Updates do not accept unauthenticated Netlogon-based RPC calls by default, but can be configured to do so temporarily.
-
Monitor your environment for access issues. If encountered, confirm if the Netlogon RPC hardening changes are the root cause.
-
If only July updates are installed, enable verbose Netlogon logging using the command “Nltest.exe /dbflag:0x2080ffff” and then monitor the resulting logs for entries resembling the following line. The OpNum and Method fields may vary, and represent the operation and RPC method that was blocked:
06/23 10:50:39 [CRITICAL] [5812] NlRpcSecurityCallback: rejecting an unauthorized RPC call from [IPAddr] OpNum:34 Method:DsrGetDcNameEx2
-
If August or later Windows updates are installed, look for Security-Netlogon Event 9015 on your DCs to determine what RPC calls are being rejected. If these calls are critical, you can put the DC in Audit Mode or Disabled Mode temporarily while you troubleshoot.
-
Make changes such that the app is using authenticated Netlogon RPC calls or contact your software vendor for further information.
-
-
If you put DCs in Audit Mode, monitor for Security-Netlogon Event 9016 to determine what RPC calls would be rejected if you turned on Enforcement Mode. Then make changes such that the app is using authenticated Netlogon RPC calls or contact your software vendor for further information.
Note: On Windows 2008 SP2 and Windows 2008 R2 servers, these events will be seen in the System event logs as Netlogon Events 5844 and 5845, respectively, for Enforcement Mode and Audit Mode.
Timing of Windows updates
These Windows updates were released in several phases:
-
Initial Change on Windows Server 2025 (May 13, 2025) – The original update that hardened against unauthenticated Netlogon-based RPC calls was included in the May 2025 Windows Security Update for Windows Server 2025.
-
Initial Changes on other Server Platforms (July 8, 2025) – The updates that hardened against unauthenticated Netlogon-based RPC calls for other Server platforms were included in the July 2025 Windows Security Updates.
-
Addition of Audit Mode and Disabled Mode (August 12, 2025) – Enforcement by default with an option for Audit or Disabled modes were included in the August 2025 Windows Security Updates.
-
Removal of Audit Mode and Disabled Mode (TBD) – At a later date, Audit and Disabled modes may be removed from the OS. This article will be updated when further details are confirmed.
Deployment guidance
If you deploy the August Windows Security Updates and want to configure your DCs into Audit or Disabled mode, deploy the registry key below with the appropriate value. No restart is required.
|
Path |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters |
|
Registry value |
DCLocatorRPCSecurityPolicy |
|
Value type |
REG_DWORD |
|
Value data |
0 - Disabled Mode1 - Audit Mode2 - Enforcement Mode (default) |
Note: Unauthenticated requests will be allowed in both Audit and Disabled modes.
Newly added events
The August 12, 2025 Windows Security Updates will also add new event logs on Windows Server 2012 thru Windows Server 2022 domain controllers:
|
Event Log |
Microsoft-Windows-Security-Netlogon/Operational |
|
Event Type |
Information |
|
Event ID |
9015 |
|
Event Text |
Netlogon denied an RPC call. The policy is in enforce mode. Client Information: Method Name: %method% Method opnum: %opnum% Client address: <IP address> Client identity: <Caller SID> For more information, see https://aka.ms/dclocatorrpcpolicy. |
|
Event Log |
Microsoft-Windows-Security-Netlogon/Operational |
|
Event Type |
Information |
|
Event ID |
9016 |
|
Event Text |
Netlogon allowed an RPC call that normally would have been denied. The policy is in audit mode. Client Information: Method Name: %method% Method opnum: %opnum% Client address: <IP address> Client identity: <Caller SID> For more information, see https://aka.ms/dclocatorrpcpolicy. |
Note: On Windows 2008 SP2 and Windows 2008 R2 servers, these events will be seen in the System event logs as Netlogon Events 5844 and 5845, respectively, for Enforcement and Audit modes.
Frequently asked questions (FAQ)
The DCs that are not updated with the July 8, 2025 Windows Security Updates, or later, will still allow unauthenticated Netlogon-based RPC calls & will not log events related to this vulnerability.
DCs that are updated with the July 8, 2025 Windows Security Updates will not allow unauthenticated Netlogon-based RPC calls, but will not log an event when such a call is blocked.
By default, DCs that are updated with the August 12, 2025 Windows Security Updates, or later, will not allow unauthenticated Netlogon-based RPC calls, and will log an event when such a call is blocked.
No.
