CVE-2025-21351 – This vulnerability in Windows Active Directory ... (How to Fix)

Q: What is the severity of CVE-2025-21351?

CVE-2025-21351 has a CVSS score of 7.5 (HIGH). This vulnerability in Windows Active Directory Domain Services API allows attackers to cause a denial of service condition by sending specially crafted requests. It affects Windows servers running Active Directory Domain Services, potentially disrupting authentication and directory services for entire domains.

📋 TL;DR

This vulnerability in Windows Active Directory Domain Services API allows attackers to cause a denial of service condition by sending specially crafted requests. It affects Windows servers running Active Directory Domain Services, potentially disrupting authentication and directory services for entire domains.

💻 Affected Systems

Products:

Windows Server

Versions: Specific versions to be confirmed via Microsoft advisory

Operating Systems: Windows Server with Active Directory Domain Services role

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Active Directory Domain Services role installed and running. Domain controllers are primary targets.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of Active Directory services, preventing user authentication, group policy application, and domain resource access across the entire network.

🟠

Likely Case

Temporary service degradation or crashes of specific Active Directory components, requiring service restarts and causing authentication delays.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring, allowing quick detection and isolation of attack attempts.

🌐 Internet-Facing: LOW (Active Directory services should not be directly exposed to the internet in properly configured environments)

🏢 Internal Only: HIGH (Attackers with internal network access can potentially disrupt critical domain services affecting all domain-joined systems)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network access to Active Directory services and knowledge of API exploitation techniques. Likely requires some level of access to craft malicious requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft's monthly security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21351

Restart Required: Yes

Instructions:

1. Apply the latest Windows Server security update from Microsoft. 2. Restart affected domain controllers. 3. Test Active Directory functionality post-patch.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Active Directory services to only necessary systems and users

Rate Limiting

all

Implement rate limiting on Active Directory API requests to prevent DoS attempts

🧯 If You Can't Patch

Implement strict network access controls to limit who can communicate with domain controllers
Deploy additional monitoring and alerting for unusual Active Directory API request patterns

🔍 How to Verify

Check if Vulnerable:

Check Windows Server version and verify if Active Directory Domain Services role is installed and running

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history shows the relevant security patch installed and Active Directory services are functioning normally

📡 Detection & Monitoring

Log Indicators:

Unusual spikes in Active Directory service requests
Active Directory service crashes or restarts in Event Logs
Failed authentication attempts followed by service degradation

Network Indicators:

Unusual traffic patterns to domain controllers on Active Directory ports (typically 389, 636, 3268, 3269)
High volume of API requests from single sources

SIEM Query:

source="*domaincontroller*" AND (event_id=1074 OR event_id=6008 OR event_id=1000) AND process_name="*ntds*" OR "*lsass*"

📊 Metadata

CVE ID: CVE-2025-21351

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 22.08% exploit probability (95.6th percentile)

Published: February 11, 2025

Last Updated: February 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21351 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21351, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft