New Win-DoS Flaws Could Weaponize Windows Domain Controllers for DDoS Attacks

A newly discovered attack method could allow hackers to crash public Windows domain controllers (DCs) worldwide and weaponize them for massive distributed denial-of-service (DDoS) attacks. SafeBreach researchers have dubbed this technique the “Win-DoS Epidemic,” and warned that it can be carried out without authentication or planting malicious code.

Last week, researchers Yair and Shahak Morag from SafeBreach Labs presented their findings at the DEF CON 33 security conference. These include four new Windows DoS flaws and one zero-click distributed denial-of-service (DDoS) vulnerability.

“As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint,” SafeBreach researchers explained.

Vulnerabilities discovered

• CVE-2025-26673: This high-severity flaw allows for uncontrolled resource consumption in Windows Lightweight Directory Access Protocol (LDAP). It could be abused by an unauthorized hacker to launch DoS attacks.
• CVE-2025-32724: This is a high severity DoS vulnerability in Windows LSASS with a CVSS score of 7.5.
• CVE-2025-49716: This security vulnerability could allow for uncontrolled resource consumption in Windows LDAP and Windows Netlogon.
• CVE-2025-49722: This is a medium-severity DoS flaw in the Windows print spooler, which requires an authenticated attacker on an adjacent network. It could be exploited to crash DCs and all other Windows machines within an enterprise network.

How does the Win-DDoS attack work?

The Win-DDoS attack exploits a vulnerability in Windows domain controllers by manipulating how they handle LDAP referrals. An attacker sends a specially crafted RPC request to a publicly accessible domain controller and tricks it into acting as a CLDAP client. This client then connects to a malicious CLDAP server controlled by the attacker, which responds with LDAP referrals pointing to a target victim server. The domain controller begins sending repeated LDAP queries to the victim, which floods it with traffic and causes a denial-of-service.

This method is particularly dangerous because it doesn’t require authentication or code execution on the domain controller. Instead, it weaponizes legitimate Windows services to amplify traffic toward a target to make internal infrastructure a tool for external attacks.

Microsoft’s response & mitigation

Microsoft issued security updates in April, June, and July 2025 to patch these vulnerabilities. Organizations should apply these updates without delay and implement DDoS mitigation measures across all systems.

Administrators are advised to:

• Keep domain controllers off the public internet.

• Enable traffic filtering to block suspicious LDAP or CLDAP requests.

• Disable unnecessary RPC services or restrict access to them.

• Use access control lists (ACLs) to limit who can send RPC requests to domain controllers.

It’s also recommended to deploy DDoS mitigation tools capable of detecting and absorbing traffic spikes, and to consider cloud-based DDoS protection for scalable defense. Finally, regularly review configurations and logs to spot any signs of exploitation.