CVE-2025-65176 – Dynatrace OneAgent versions before 1.325.47 aut... (How to Fix)

Q: What is the severity of CVE-2025-65176?

CVE-2025-65176 has a CVSS score of 7.5 (HIGH). Dynatrace OneAgent versions before 1.325.47 automatically retry failed network share access attempts using all available user tokens, enabling NTLM relay attacks. This allows unprivileged attackers on affected systems to impersonate other users and potentially gain unauthorized access to network resources. Organizations using vulnerable OneAgent versions are at risk.

📋 TL;DR

Dynatrace OneAgent versions before 1.325.47 automatically retry failed network share access attempts using all available user tokens, enabling NTLM relay attacks. This allows unprivileged attackers on affected systems to impersonate other users and potentially gain unauthorized access to network resources. Organizations using vulnerable OneAgent versions are at risk.

💻 Affected Systems

Products:

Dynatrace OneAgent

Versions: All versions before 1.325.47

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when OneAgent encounters STATUS_LOGON_FAILURE errors during network share access attempts.

📦 What is this software?

Oneagent by Dynatrace

View all CVEs affecting Oneagent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains domain administrator privileges via NTLM relay, leading to full domain compromise and data exfiltration.

🟠

Likely Case

Attacker gains access to sensitive network shares, internal applications, or lateral movement capabilities using stolen credentials.

🟢

If Mitigated

Limited impact due to network segmentation, SMB signing enforcement, and proper access controls preventing credential relay.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to have local access to trigger the vulnerability and set up NTLM relay infrastructure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.325.47

Vendor Advisory: https://docs.dynatrace.com/docs/shortlink/release-notes-oneagent-sprint-325#oneagent-sprint-325-ga

Restart Required: Yes

Instructions:

1. Log into Dynatrace SaaS/Managed environment
2. Navigate to Deploy Dynatrace > OneAgent
3. Update OneAgent to version 1.325.47 or later
4. Restart affected systems or services

🔧 Temporary Workarounds

Disable NTLM Authentication

windows

Configure systems to use Kerberos authentication only, preventing NTLM relay attacks

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Incoming NTLM traffic = Deny all

Enable SMB Signing

windows

Require SMB packet signing to prevent NTLM relay attacks

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (always) = Enabled

🧯 If You Can't Patch

Implement network segmentation to isolate OneAgent systems from critical resources
Deploy endpoint detection and response (EDR) solutions to monitor for NTLM relay attempts

🔍 How to Verify

Check if Vulnerable:

Check OneAgent version via Dynatrace UI: Deploy Dynatrace > OneAgent > Version column, or run: 'C:\Program Files\Dynatrace\OneAgent\agent\lib64\oneagentwatchdog.exe --version' on Windows or '/opt/dynatrace/oneagent/agent/lib64/oneagentwatchdog --version' on Linux

Check Version:

Windows: 'C:\Program Files\Dynatrace\OneAgent\agent\lib64\oneagentwatchdog.exe --version' | Linux: '/opt/dynatrace/oneagent/agent/lib64/oneagentwatchdog --version'

Verify Fix Applied:

Confirm version is 1.325.47 or higher using the version check command

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from single source with different user tokens
Event ID 4625 (failed logon) with STATUS_LOGON_FAILURE
Unusual SMB traffic patterns from OneAgent systems

Network Indicators:

NTLM authentication attempts to unexpected destinations
SMB traffic without signing from OneAgent systems
Authentication requests with multiple user contexts from single IP

SIEM Query:

source="windows-security" EventCode=4625 Status="0xc000006d" | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-65176

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 0.04% exploit probability (12.8th percentile)

Published: December 15, 2025

Last Updated: January 7, 2026

🔗 References

https://docs.dynatrace.com/docs/shortlink/release-notes-oneagent-sprint-325#oneagent-sprint-325-ga Release Notes
https://docs.dynatrace.com/docs/whats-new/oneagent/sprint-325#oneagent-sprint-325-ga Release Notes
https://hackerone.com/reports/3313408 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65176, you might also want to check these: