CVE-2025-65176 is a vulnerability found in Dynatrace OneAgent versions before 1.325.47. The issue arises when the agent attempts to access a remote network share and receives a STATUS_LOGON_FAILURE error, indicating failed authentication. Instead of failing gracefully, the agent retrieves every user token present on the local machine and repeatedly attempts to access the network share by impersonating each user token. This behavior can be exploited by an unprivileged attacker who has local access to the affected system to conduct NTLM relay attacks. NTLM relay attacks allow an attacker to intercept and relay authentication requests to gain unauthorized access to network resources without needing the actual credentials. The vulnerability stems from improper handling of authentication failures and excessive token impersonation, violating the principle of least privilege (CWE-284). The CVSS v3.1 base score is 7.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact. While no known exploits are publicly reported, the vulnerability poses a significant risk in environments where attackers can gain local access. The lack of available patches at the time of publication necessitates immediate attention from affected organizations.

For European organizations, this vulnerability presents a significant risk, especially in environments where Dynatrace OneAgent is deployed on endpoints or servers with access to network shares. Successful exploitation could allow attackers to impersonate legitimate users and relay NTLM authentication requests, potentially leading to unauthorized access to sensitive network resources, lateral movement, and data exfiltration. Confidentiality is primarily impacted, as attackers can gain access to resources without valid credentials. The vulnerability does not affect integrity or availability directly but can facilitate further attacks that compromise these aspects. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and critical infrastructure, could face severe compliance and reputational consequences if exploited. The ease of exploitation (no privileges or user interaction required) increases the threat level, particularly in environments with weak local access controls or where endpoint security is insufficient.

1. Immediately upgrade Dynatrace OneAgent to version 1.325.47 or later once available to address the vulnerability. 2. Until patches are deployed, restrict local access to systems running OneAgent to trusted personnel only and enforce strict endpoint security controls. 3. Monitor network share access logs and authentication attempts for unusual patterns, such as repeated failed logons or multiple user token impersonations. 4. Implement network-level protections against NTLM relay attacks, including disabling NTLM where feasible, enforcing SMB signing, and deploying SMB relay protections on network devices. 5. Use endpoint detection and response (EDR) tools to detect anomalous impersonation or token usage behaviors. 6. Educate IT and security teams about the vulnerability and signs of exploitation to enable rapid incident response. 7. Review and tighten permissions on network shares to minimize the impact of any successful relay attack. 8. Employ multi-factor authentication (MFA) for network resource access where possible to reduce reliance on NTLM authentication.