A major security flaw, identified as CVE-2025-47978, has been found in the Windows Kerberos Netlogon protocol. Due to this vulnerability, CVSS score of the flaw is 6.5 which is considered moderate risk. The cybersecurity firm Silverfort has dubbed the vulnerability NOTLogon. This vulnerability would allow an attacker to gain unfettered access to sensitive data within databases.
Specifically, CVE-2025-47978 mostly impacts the Local Security Authority Subsystem Service (LSASS). This critical Windows process enforces security policies and manages user authentication. The vulnerability can be exploited by privileged attackers to perform denial of service attacks against a network. By doing so, potential for catastrophic operational failures increases.
Exploitation Potential
What NOTLogon really does is allow any user with access to a misconfigured database table to enumerate data they don’t have authorization over. “Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them,” stated ServiceNow.
The exploitability of the flaw is due to the fact that responses differ depending on which of four ACL conditions are met. A threat actor can exploit these inconsistent responses to identify which access requirements are not being met. This shifts the attack surface to a new pathway. Through brute force querying, an attacker can exhaustively query a database table with specific parameters and filters to extract PII.
“Any user in an instance can exploit this vulnerability, even those with minimal privileges and no assigned roles, as long as they have access to at least one misconfigured table,” said cybersecurity expert Neta Armon. He further explained that “this vulnerability applies to any table in the instance with at least one ACL rule where the first two conditions are either left empty or are overly permissive — a common situation.”
Impact on Enterprises
Perhaps the most worrisome aspect of this vulnerability’s implications enterprise environments. “Most concerning, this vulnerability was relatively simple to exploit and required only minimal table access, such as a weak user account within the instance or even a self-registered anonymous user, which could bypass the need for privilege elevation and resulted in sensitive data exposure,” Neta Armon added.
Because in most enterprise environments, accounts are created at the request of low-privileged users by default, raising the chances of exploitation. When access is blocked due to “Required Roles” or “Security Attribute Condition,” users are met with a blank page displaying the message: “Security constraints prevent access to the requested page.” Not having any visuals makes it easy to misinterpret and misjudge what access permissions really are.
“ServiceNow customers should be aware that query range Query ACLs will soon be set to default deny, so they should create exclusions to maintain authorized user ability to perform such actions,” Armon advised.
Mitigation and Resolution
ServiceNow has recognized the severity of this issue and deployed a fix with version 1.12.54.0 on July 8, 2025. This update is part of the update for NOTLogon’s vulnerabilities and seeks to strengthen the security posture of any systems affected.
Dor Segal, another cybersecurity analyst, elaborated on the implications of the flaw: “This vulnerability does not require elevated privileges — only standard network access and a weak machine account are needed. In typical enterprise environments, any low-privileged user can create such accounts by default.”
He further noted that “with only a valid machine account and a crafted RPC message, an attacker can remotely crash a domain controller – a system responsible for the core functionalities of Active Directory, including authentication, authorization, Group Policy enforcement, and service ticket issuance.”
Additional insights from Oddvar Moe highlighted potential risks: “The directory housing ‘TPQMAssistant.exe’ is writable by standard users, which is already a red flag.” He pointed out that when certain scheduled tasks or binaries are enabled, they tend to search for dependencies beyond their own folder. This poses serious opportunities for accidental, and even malicious, sideloading.