Zero-Click Remote DoS in WDS Ignored by Microsoft

A critical remote denial-of-service (DOS) vulnerability has been found in Microsoft’s Windows Deployment services(WDS), exposing enterprise networks to system crashes by zero-click attacks. Security researcher warns that the issue, based on remote memory exhaustion, has been dangerously overlooked in cybersecurity, especially within critical infrastructure services.

The security researcher Zhiniang Peng reported the issue to Microsoft on February 8, 2025. Microsoft confirmed the bug in March but later reclassified it as “moderate,” stating it does not meet the criteria for a security patch under its updated bounty rules. The research team published the findings publicly on May 2, citing a lack of meaningful response or mitigation guidance from Microsoft.

Vulnerability Overview

The vulnerability stems from how WDS handles incoming UDP packets. When a packet is sent to the TFTP service on port 69, the system allocates a new session object (CTftpSession) without validating the authenticity of the source. These session objects are stored in memory via EndpointSessionMapEntry, which lacks limitations on the number of entries. By spoofing IP addresses and ports in UDP packets, attackers can repeatedly create new sessions.

Over time, this leads to unchecked memory growth and eventual system failure. In testing, researchers demonstrated that a Windows Server system with 8GB RAM became unresponsive within seven minutes memory usage spiked to 15GB, forcing a crash.

What is Windows Deployment Services?

WDS is a widely used Microsoft server role that facilitates the deployment of Windows operating systems across networks. It enables Preboot Execution Environment (PXE) booting, image transfers via TFTP and multicast, and automated OS installations in data centers, corporate IT, and educational institutions.

Given its network-facing nature and dependency on UDP protocols, WDS is particularly vulnerable to spoofed traffic and session abuse making it an ideal target for this type of DoS attacks.

Proof-of-Concept

A pseudocode version of the proof-of-concept (PoC) demonstrates how attackers can forge massive numbers of fake sessions using spoofed source IPs and ports. While the full exploit code is not released, the researchers have detailed how it can be executed from a standard Linux system against a Windows Server Insider Preview configured with WDS.

The attack requires no authentication and no user interaction, qualifying it as a preauth and 0-click vulnerability.

、、、
int fake_send(const char *dst_ip, int dst_port, char *data, int data_len){
char* src_ip = malloc(0x100);
for (unsigned int i=0x4000000;i<0xffffffff;i++){
memset(src_ip,0,0x10);
int_to_ip(i,src_ip);
printf("src_ip:%s\n",src_ip);
for (int port=0x4000;port<0xe000;port++){
udp_send(src_ip, port, dst_ip, dst_port, data, data_len);

}

}

}

、

Conclusion

Experts warn that remote memory exhaustion vulnerabilities like this one pose systemic risks to internet infrastructure, yet they remain largely unaddressed. Since UDP servers cannot verify packet origins, attackers can trivially forge traffic and exploit memory allocation flaws in services like WDS.

The researchers recommend disabling or replacing Windows Deployment Services in production environments until a formal fix is released. Currently, there are no reliable mitigations without vendor intervention.

Source: https://sites.google.com/site/zhiniangpeng/blogs/WDS-DoS

Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news