Win-DDoS Flaws Let Attackers Weaponize Public Domain Controllers

Security researchers from SafeBreach Labs have discovered a new set of denial-of-service (DoS) vulnerabilities in Windows, known as Win-DoS and Win-DDoS. These flaws allow attackers to abuse publicly accessible Windows domain controllers to generate massive amounts of traffic, turning them into a large-scale distributed denial-of-service (DDoS) botnet without the need for malware.

The team identified four specific vulnerabilities in core Windows components, affecting LDAP, RPC, LSASS, Netlogon, and the Print Spooler service. Three of these issues can be exploited without any authentication, while one requires only low-level domain credentials. This makes both internet-exposed and certain internal domain controllers vulnerable.

The attack works by exploiting normal LDAP and RPC functions. An attacker can make a domain controller behave as an LDAP or CLDAP client and respond to it with specially crafted LDAP referrals. These referrals direct the domain controller to connect repeatedly to a chosen target IP address and port, creating a high volume of traffic toward that system.

Because of the way referral handling and certain RPC states are managed, the domain controllers continue sending requests to the target for an extended period. This repeated traffic can overwhelm the target, effectively causing a denial-of-service without the attacker having to compromise or install malicious software on the domain controllers.

SafeBreach also demonstrated an RPC-based technique, called TorpeDoS, that allows a single machine to generate RPC call rates equivalent to what many machines would produce. When combined with numerous exposed domain controllers, this can result in extremely large-scale DDoS attacks.

The vulnerabilities have been assigned official CVE identifiers. These include CVE-2025-26673, affecting LDAP client resource handling; CVE-2025-32724, a flaw in LSASS resource consumption; CVE-2025-49716, a Netlogon resource exhaustion bug; and CVE-2025-49722, a Print Spooler denial-of-service issue that requires authentication on nearby networks.

SafeBreach reported the vulnerabilities to Microsoft in March 2025. Microsoft released security patches between May and July 2025 to fix the reported issues. The research was presented publicly at DEF CON 33 on August 10, 2025, with detailed demonstrations and a public write-up, along with tools for security teams to test their networks.

The impact of these vulnerabilities is significant because domain controllers are a critical part of Windows-based networks. If exposed to the internet, they can be exploited remotely and turned into powerful tools for attacking other networks. This changes the threat landscape, as servers designed to secure a network could instead be used to harm others.

Security experts recommend immediate action to protect against Win-DDoS attacks. This includes applying Microsoft’s latest patches, removing domain controllers from direct internet exposure, restricting LDAP and RPC access to trusted internal systems, and using firewalls or VPNs for administrative access. Network monitoring should also be set up to detect unusual referral patterns, repeated retries, or unexpected spikes in outbound LDAP or RPC traffic.

By applying updates and reducing exposure, organizations can prevent their domain controllers from being used in such large-scale attacks. Without these measures, vulnerable systems remain at risk of becoming unwilling participants in highly disruptive DDoS campaigns.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news