A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct power distributed denial-of-service (DDoS) attacks.
The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, who presented their findings at the DEF CON 33 security conference today.
“As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it,” Yair and Morag said in a report shared with The Hacker News.
“As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint.”
In transforming DCs into a DDoS bot without the need for code execution or credentials, the attack essentially turns the Windows platform into becoming both the victim and the weapon. The attack flow is as follows –
- Attacker sends an RPC call to DCs that triggers them to become CLDAP clients
- DCs send the CLDAP request to the attacker’s CLDAP server, which then returns a referral response that refers the DCs to the attacker’s LDAP server in order to switch from UDP to TCP
- DCs then send the LDAP query to the attacker’s LDAP server over TCP
- Attacker’s LDAP server responds with an LDAP referral response containing a long list of LDAP referral URLs, all of which point to a single port on a single IP address
- DCs send an LDAP query on that port, causing the web server that may be served via the port to close the TCP connection
“Once the TCP connection is aborted, the DCs continue to the next referral on the list, which points to the same server again,” the researchers said. “And this behavior repeats itself until all the URLs in the referral list are over, creating our innovative Win-DDoS attack technique.”
What makes Win-DDoS significant is that it has high bandwidth and does not require an attacker to purchase dedicated infrastructure. Nor does it necessitate them to breach any devices, thereby allowing them to fly under the radar.
Further analysis of the LDAP client code referral process has revealed that it’s possible to trigger an LSASS crash, reboot, or a blue screen of death (BSoD) by sending lengthy referral lists to DCs by taking advantage of the fact that there are no limits on referral list sizes and referrals are not released from the DC’s heap memory until the information is successfully retrieved.
On top of that, the transport-agnostic code that’s executed to server client requests has been found to harbor three new denial-of-service (DoS) vulnerabilities that can crash domain controllers without the need for authentication, and one additional DoS flaw that provides any authenticated user with the ability to crash a domain controller or Windows computer in a domain.
The identified shortcomings are listed below –
- CVE-2025-26673 (CVSS score: 7.5) – Uncontrolled resource consumption in Windows Lightweight Directory Access Protocol (LDAP) allows an unauthorized attacker to deny service over a network (Fixed in May 2025)
- CVE-2025-32724 (CVSS score: 7.5) – Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network (Fixed in June 2025)
- CVE-2025-49716 (CVSS score: 7.5) – Uncontrolled resource consumption in Windows Netlogon allows an unauthorized attacker to deny service over a network (Fixed in July 2025)
- CVE-2025-49722 (CVSS score: 5.7) – Uncontrolled resource consumption in Windows Print Spooler Components allows an authorized attacker to deny service over an adjacent network (Fixed in July 2025)
Like the LDAPNightmare (CVE-2024-49113) vulnerability detailed earlier this January, the latest findings show that there exist blind spots in Windows that could be targeted and exploited, crippling business operations.
“The vulnerabilities we discovered are zero-click, unauthenticated vulnerabilities that allow attackers to crash these systems remotely if they are publicly accessible, and also show how attackers with minimal access to an internal network can trigger the same outcomes against private infrastructure,” the researchers said.
“Our findings break common assumptions in enterprise threat modeling: that DoS risks only apply to public services, and that internal systems are safe from abuse unless fully compromised. The implications for enterprise resilience, risk modeling, and defense strategies are significant.”
