SafeBreach Labs researchers Or Yair and Shahak Morag disclosed a new class of Windows denial-of-service (DoS) vulnerabilities that can be exploited to crash critical infrastructure or conscript publicly accessible Windows Domain Controllers (DCs) into high-bandwidth DDoS attacks.
The researchers have dubbed the discovery the “Win-DoS Epidemic” and have released proof-of-concept tooling demonstrating exploitation across multiple Windows services.
Vulnerability Overview
The issues are all categorised as uncontrolled resource consumption vulnerabilities.
Three can be triggered remotely without authentication; one requires minimal authenticated access:
- CVE-2025-26673 (CVSS 7.5) – DoS in Windows LDAP service
- CVE-2025-32724 (CVSS 7.5) – DoS in Windows LSASS; also core to the Win-DDoS attack chain
- CVE-2025-49716 (CVSS 7.5) – DoS in Windows Netlogon
- CVE-2025-49722 (CVSS 5.7) – DoS in Windows Print Spooler (requires authenticated user on adjacent network)
The first three vulnerabilities can be exploited via a single crafted packet or message sequence against an Internet-reachable service endpoint, requiring no user interaction.
Operational Impact on Domain Controllers
Domain Controllers run Active Directory Domain Services (AD DS), handling authentication (Kerberos, NTLM), authorisation, and directory look-ups.
A DoS against a DC has immediate operational consequences:
- Users cannot obtain Kerberos tickets or log in.
- Group Policy Objects cannot be applied.
- Resource access dependent on Active Directory is blocked.
Earlier work from the same researchers (LDAPNightmare, CVE-2024-49113) showed that LDAP services on DCs could be crashed remotely.
The new Win-DoS set extends the attack surface to LSASS, Netlogon, and Print Spooler — affecting multiple critical code paths.
Win-DDoS: Turning DCs into a Botnet
The most severe outcome is the Win-DDoS technique, leveraging CVE-2025-32724 to transform public DCs into stateless DDoS agents.
Attack chain:
- Trigger CLDAP connection – Send a crafted RPC call to an Internet-reachable DC, coercing it into acting as a CLDAP client.
- Referral injection – The attacker’s CLDAP server returns an LDAP referral pointing to an attacker-controlled LDAP/TCP endpoint.
- Referral amplification – The LDAP/TCP endpoint responds with thousands of LDAP URLs resolving to the victim’s IP and port.
- Relentless traffic generation – The DC cycles through the referral list, repeatedly initiating TCP connections and sending LDAP payloads to the victim.
Because most web servers (and other non-LDAP services) immediately close the TCP session upon receiving invalid LDAP data, the DC retries the next referral in the list — a loop that continues until the referral list is exhausted.
Key attributes of Win-DDoS:
- No code execution or compromise of the DC is required.
- Traffic originates from legitimate infrastructure (public DCs), making attribution and filtering more difficult.
- Potential scale: tens of thousands of DCs with public LDAP exposure.
- No need for attacker-controlled botnet infrastructure.
RPC Abuse for Zero-Click DoS
The team also identified weaknesses in Windows RPC binding behaviour.
By crafting repeated calls to a target RPC server, they bypassed concurrency limits, forcing resource exhaustion without authentication.
This results in complete service termination or a system crash.
The method works against any RPC service that accepts unauthenticated calls — common across default Windows deployments.
Mitigation and Patching
Microsoft has issued security updates for supported Windows versions in April, June, and July 2025 covering all four CVEs.
Given that exploitation now has public proof-of-concept tooling, patching should be considered urgent.
Recommended defensive actions:
- Apply Microsoft patches to all Windows Servers and endpoints, prioritising Domain Controllers and other LDAP/Netlogon/LSASS-exposed systems.
- Restrict public exposure of DCs and related services (LDAP, CLDAP, RPC) via network segmentation and firewall policy.
- Implement DDoS detection that can profile anomalous outbound traffic patterns from DCs as well as inbound floods.
- Adjust threat models — do not assume that internal services are immune to DoS without full compromise.
Final notes
This research underlines the increasing trend of attackers repurposing legitimate, high-capacity infrastructure for DDoS rather than maintaining traditional botnets.
For network defenders, this demands equal focus on egress monitoring and internal service hardening alongside conventional perimeter DDoS protection.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com