At the DEF CON 33 security conference, researchers from SafeBreach unveiled a novel attack technique named Win-DDoS, which exploits zero-click vulnerabilities in Windows domain controllers (DCs) to orchestrate distributed denial-of-service (DDoS) attacks. This method leverages unauthenticated Remote Procedure Call (RPC) and Lightweight Directory Access Protocol (LDAP) vulnerabilities, enabling attackers to crash DCs and transform them into components of a malicious botnet.
Understanding the Win-DDoS Attack Mechanism
The Win-DDoS technique capitalizes on inherent trust within client-side components of Windows services. By manipulating the LDAP referral mechanism, attackers can redirect DCs to send repeated requests to a target-controlled endpoint, effectively overwhelming the victim with unintended network traffic. This exploitation of client-side blind spots underscores the critical need for robust security measures within enterprise networks.
Discovery of Additional Denial-of-Service Vulnerabilities
In their research, SafeBreach identified several new denial-of-service (DoS) vulnerabilities:
1. CVE-2025-32724: This vulnerability arises from the LDAP Client code’s referral process, which lacks limits on list sizes and delays memory freeing until completion. An unauthenticated attacker can exploit this by sending oversized lists, causing the Local Security Authority Subsystem Service (LSASS) to crash and triggering a blue screen of death (BSOD).
2. CVE-2025-26673: Located in the DC’s Netlogon service, this flaw allows crafted RPC calls to crash the service remotely without authentication. Exploiting this vulnerability can disable a critical Windows authentication component, potentially locking users out of domain resources until a system reboot.
3. CVE-2025-49716: This vulnerability targets the LSASS, enabling a remote attacker to send specially crafted LDAP queries that destabilize the service, leading to immediate DoS on the affected host.
4. CVE-2025-49722: Found in the Windows Print Spooler, this DoS flaw can be triggered by sending malformed RPC requests that cause the spooler process to fail, interrupting printing operations and potentially impacting broader system stability.
Mitigation and Recommendations
Microsoft has addressed some of these vulnerabilities in recent Patch Tuesday releases. Specifically, the LDAPNightmare (CVE-2024-49113) and CVE-2025-32724 vulnerabilities were patched in December 2024 and April 2025, respectively. However, the remaining vulnerabilities reported by SafeBreach are still unpatched.
To protect against Win-DDoS and similar DoS risks, organizations are advised to:
– Apply Microsoft’s Latest Patches: Ensure all systems are updated with the latest security patches to mitigate known vulnerabilities.
– Limit Exposure of DC Services: Restrict access to critical services to minimize potential attack vectors.
– Implement Network Segmentation: Isolate critical systems and services to contain potential breaches and limit the spread of attacks.
– Monitor for Unusual LDAP or RPC Traffic: Establish monitoring mechanisms to detect and respond to anomalous network activity promptly.
Conclusion
The emergence of the Win-DDoS attack technique highlights the evolving landscape of cybersecurity threats targeting Windows domain controllers. By exploiting zero-click vulnerabilities in RPC and LDAP services, attackers can transform essential network components into tools for DDoS attacks. Organizations must remain vigilant, apply timely patches, and implement comprehensive security measures to safeguard their networks against such sophisticated threats.
