CVE-2025-65176 is a security vulnerability identified in Dynatrace OneAgent versions prior to 1.325.47. The flaw arises when the OneAgent attempts to access a remote network share and encounters a STATUS_LOGON_FAILURE error. Instead of failing gracefully, the agent retrieves every user token present on the local machine and repeatedly attempts to access the network share while impersonating these users. This behavior can be exploited by an unprivileged attacker who has local access to the affected system. By leveraging this vulnerability, the attacker can perform NTLM relay attacks, a technique that allows the attacker to relay authentication requests to other network resources and potentially gain unauthorized access or escalate privileges. The vulnerability does not require elevated privileges initially but does require local access to the compromised machine. The repeated impersonation attempts increase the likelihood of successful relay attacks, which can lead to lateral movement within an enterprise network. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability highlights a critical weakness in how OneAgent handles authentication failures and token impersonation, exposing enterprise environments to credential relay attacks.

For European organizations, this vulnerability poses a significant risk, especially those using Dynatrace OneAgent extensively for application and infrastructure monitoring. The ability for an unprivileged local attacker to perform NTLM relay attacks can lead to unauthorized access to sensitive network resources, data breaches, and lateral movement within corporate networks. This can compromise confidentiality and integrity of critical systems and data. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face regulatory and reputational damage if exploited. The repeated impersonation attempts could also increase network noise and detection complexity. Given that many European enterprises rely on centralized monitoring tools like Dynatrace, the vulnerability could have broad implications if not promptly addressed. Additionally, the vulnerability could be leveraged in targeted attacks against high-value assets, especially in countries with advanced digital infrastructures and high adoption of enterprise monitoring solutions.

The primary mitigation is to upgrade Dynatrace OneAgent to version 1.325.47 or later, where this vulnerability has been addressed. Until the patch is applied, organizations should restrict local access to systems running OneAgent to trusted personnel only, minimizing the risk of unprivileged attackers exploiting the flaw. Network segmentation should be enforced to limit the impact of potential NTLM relay attacks, isolating critical systems and shares from less secure endpoints. Implementing strong monitoring and alerting for unusual authentication attempts and NTLM relay indicators can help detect exploitation attempts early. Disabling NTLM where possible or enforcing SMB signing and extended protection for authentication can reduce the attack surface. Additionally, organizations should review and harden their credential delegation policies and consider deploying multi-factor authentication to reduce the risk of credential misuse. Regular security audits and penetration testing focusing on lateral movement techniques can help identify and remediate weaknesses related to this vulnerability.