Microsoft has released a security update for a vulnerability that allows an attacker with network access to crash the Local Security Authority Subsystem Service (LSASS) and trigger a denial-of-service condition on domain controllers and other authentication servers. Tracked as CVE-2025-33057, the flaw is a null pointer dereference in LSASS that an authorized attacker can exploit over the network to force service termination and, in many cases, forced system reboots. The fix arrived as part of the June 2025 Patch Tuesday and was reissued or clarified in subsequent updates. Despite its Medium CVSS score, the operational impact on enterprise environments is severe, and security administrators are urged to patch immediately while implementing compensating network controls.

What Is CVE-2025-33057?

CVE-2025-33057 is a denial-of-service vulnerability in the Windows Local Security Authority (LSA) component, which is implemented through the LSASS process. Microsoft's Security Update Guide describes it as a "null pointer dereference" (CWE-476) that an authorized attacker can trigger over a network. When exploited, the vulnerability causes lsass.exe to crash. On domain controllers, where LSASS is critical for authentication and authorization, a crash can cascade into widespread authentication failures, automatic server reboots, and interruption of all Active Directory services. Even on non-DC servers and client systems running LSASS-dependent services, the crash can disrupt logon capabilities and break security policy enforcement.

The vulnerability affects a broad range of Windows releases, from legacy Windows Server 2008 SP2 and Windows 10 Version 1507 through the latest Windows 11 24H2 and Windows Server 2025. Microsoft's advisory lists specific build ranges and corresponding security updates. Administrators can find the precise patch numbers by referencing the MSRC page for CVE-2025-33057.

Technical Breakdown: Null Pointer Dereference in LSASS

A null pointer dereference occurs when code attempts to read from or write to memory using a pointer that contains a value of zero (NULL). In a user-mode service like LSASS, such an error typically results in an access violation that crashes the process. Because LSASS runs with high integrity and is deeply integrated with Windows security subsystems, its unexpected termination forces Windows to invoke the default failure behavior—often a blue screen of death (BSOD) on domain controllers or an abrupt service halt and automatic recovery reboot.

Microsoft’s advisory indicates that the attacker must be authorized, meaning they need a valid set of credentials or the ability to authentically interact with the LSASS service. This could be a compromised user account, a service account with network logon rights, or a trusted network path that allows the attacker to send crafted requests. Once the attacker can interact with LSASS, they can trigger the null pointer dereference through specially crafted network packets. Security researchers and the community have pointed out that the attack vector is likely facilitated by the Connectionless LDAP (CLDAP) and LDAP referral mechanisms—a pattern seen in previous LSASS-related vulnerabilities.

Affected Systems and Patch Availability

The NVD enrichment data for CVE-2025-33057 lists the following affected product families and version ranges, among others:

Product Affected Versions Fixed Build
Windows 10 Version 1507 10.0.10240.0 – < 10.0.10240.21034 10.0.10240.21034
Windows 10 Version 1607 10.0.14393.0 – < 10.0.14393.8148 10.0.14393.8148
Windows 10 Version 1809 10.0.17763.0 – < 10.0.17763.7434 10.0.17763.7434
Windows 10 Version 21H2 10.0.19044.0 – < 10.0.19044.5965 10.0.19044.5965
Windows 10 Version 22H2 10.0.19045.0 – < 10.0.19045.5965 10.0.19045.5965
Windows 11 22H2 10.0.22621.0 – < 10.0.22621.5472 10.0.22621.5472
Windows 11 23H2 10.0.22631.0 – < 10.0.22631.5472 10.0.22631.5472
Windows 11 24H2 10.0.26100.0 – < 10.0.26100.4349 10.0.26100.4349
Windows Server 2016 10.0.14393.0 – < 10.0.14393.8148 10.0.14393.8148
Windows Server 2019 10.0.17763.0 – < 10.0.17763.7434 10.0.17763.7434
Windows Server 2022 10.0.20348.0 – < 10.0.20348.3745 10.0.20348.3745
Windows Server 2025 10.0.26100.0 – < 10.0.26100.4349 10.0.26100.4349

Note that this table is not exhaustive; Microsoft's advisory should be consulted for the complete list. Domain controllers running any of these versions are of the highest concern because they expose LSASS to network interactions by default and are central to authentication.

CVSS Score and Severity Rationale

Microsoft assigned a CVSS 3.1 base score of 6.5 (Medium). The vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

The Medium rating reflects the requirement for low privileges, which tempers the score despite the ease of exploitation and high availability impact. In practice, however, many security teams treat such LSASS denial-of-service flaws with the same urgency as high-severity items because a domain controller outage can halt business operations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this CVE in its Known Exploited Vulnerabilities catalog, underscoring the need for prompt action.

Real-World Exploitability and Risk

The requirement for authorization does not make the bug benign. Attack vectors commonly involve:

  • Compromised user or service accounts that can send malicious LDAP or CLDAP queries.
  • Manipulation of DNS SRV records or referral flows that redirect domain controllers to attacker-controlled systems.
  • Insider threats or lateral movement from a foothold on the internal network.

Past LSASS and LDAP referral vulnerabilities have demonstrated how quickly threat actors can weaponize such bugs once a proof-of-concept appears. Community discussions on WindowsForum.com highlighted that even with the "authorized" restriction, the disruption potential is massive: a single crash can cause all domain-joined clients to fail authentication, lock users out of resources, and force a multi-hour recovery window if replication issues arise. Defenders should therefore assume active exploitation attempts will follow public disclosure and patch accordingly.

Immediate Actions for IT and Security Teams

Drawing from both Microsoft's guidance and the practical advice from WindowsForum's security desk, the following steps are recommended:

  1. Identify and apply the security update. Consult the MSRC advisory for CVE-2025-33057 to obtain the specific KB articles and cumulative update packages for your builds. Prioritize domain controllers, then other servers running authentication services.

  2. Patch domain controllers first. Schedule a maintenance window and have rollback procedures ready, as DC reboots affect all domain-joined systems. Test patches in a non-production environment if possible, but do not delay patch deployment.

  3. Block untrusted CLDAP/LDAP traffic. If business requirements allow, block outbound UDP 389 (CLDAP) and TCP 389 (LDAP) from domain controllers to the internet and untrusted network segments. This prevents external referral manipulation and limits the attack surface.

  4. Harden name resolution. Ensure domain controllers use only internal, trusted DNS servers. Disable forwarding of SRV record lookups to external resolvers. Review DNS suffixes and conditional forwarders to prevent traffic redirection.

  5. Deploy detection rules. Configure EDR and SIEM to alert on:
    - Unexpected lsass.exe process terminations (Event ID 4688 with a new process creation following a crash, or Event ID 1000/1001 application crashes).
    - Repeated authentication failures (Event ID 4625) across multiple accounts.
    - Sudden domain controller reboots (Event ID 41, 6008).
    - Anomalous CLDAP/LDAP traffic spikes or outbound connections to external IPs.

  6. Staged deployment and monitoring. Roll patches to a pilot group of servers first, monitoring for stability, then expand to the entire estate. Microsoft's Known Issue Rollback (KIR) capability can be used to temporarily revert a problematic update without uninstalling the patch.

Detection and Forensic Indicators

If you suspect an attempted or successful exploitation, collect the following:

  • System Event Logs: Look for Event ID 7031 (service terminated unexpectedly), 7034 (service crashed), or 1000/1001 for lsass.exe.
  • Application Event Logs: Record crashes and .dmp files.
  • Security Event Logs: Authentication failures (4625) clustered around the crash time.
  • EDR Telemetry: Process termination events, command-line arguments, and network connections initiated by lsass.exe.
  • Network Captures: Packets showing crafted LDAP/CLDAP referrals or malformed payloads immediately preceding the crash.

A forensic image of the affected server’s memory can also be valuable, but should be taken before rebooting if safety permits.

Containment Checklist

If a domain controller exhibits LSASS crashes that may be due to exploitation:

  1. Isolate the host from the network to prevent further attacks or lateral movement.
  2. Preserve volatile data: memory dump, logs, and network traces.
  3. Do not reboot or reimage until forensic artifacts are secured, unless operational downtime mandates immediate recovery.
  4. If the DC must be restored, bring a patched standby system online and ensure replication is healthy before decommissioning the compromised host.

Historical Context: LSASS and LDAP Referral Attacks

This vulnerability is not an isolated incident. Over the past two years, researchers have repeatedly demonstrated how LDAP and CLDAP referral handling can be abused to trigger crashes or achieve remote code execution. The 2024/2025 disclosure cycle included multiple CVE entries where attackers could force LSASS to process malicious referrals, leading to denial-of-service or credential theft. CVE-2025-33057 fits squarely into that pattern, reinforcing that LSASS remains a high-value target. The community’s institutional knowledge—captured in forums, incident reports, and vendor advisories—provides a playbook for defenders, and those who apply these lessons will be best positioned to weather the storm.

Conclusion

CVE-2025-33057 is a textbook example of a vulnerability that scores medium but hits enterprise availability at the hardest possible edge. Domain controllers are the lifeline of any Windows-based infrastructure, and a reliably exploitable LSASS crash can bring an entire organization to a standstill. The fix is available, and the mitigations are clear. Patch now, restrict discovery traffic, and tune your detection to catch the telltale crash signatures. In a threat landscape where LSASS is under constant assault, treating a Medium-rated bug as a top-priority response is not hyperbole—it is operational prudence.