The Win-DDoS Epidemic: New Flaws Weaponize Windows Domain Controllers for Massive DoS Attacks, PoC Releases

SafeBreach Labs researchers have uncovered a new class of denial-of-service (DoS) vulnerabilities in Microsoft Windows that could enable attackers to weaponize critical infrastructure — without ever breaching a single device. Their findings, published in a recent report, reveal “zero-click, unauthenticated vulnerabilities that allow attackers to crash these systems remotely if they are publicly accessible”, breaking long-held assumptions about enterprise DoS risks.

This latest research builds on SafeBreach’s earlier work on LDAPNightmare (CVE-2024-49113), a flaw discovered by Yuki Chen that allowed attackers to crash unpatched domain controllers (DCs) without authentication. The team realized that “DCs are a key component in most organizations’ Active Directory network — denying service of a DC… could have the potential to completely halt the operations of a victim organization.”

By probing deeper into Windows’ LDAP client code, SafeBreach discovered a novel amplification technique dubbed Win-DDoS. This attack manipulates the LDAP referral process to turn tens of thousands of publicly accessible DCs into a high-bandwidth botnet — all without malware, purchased infrastructure, or a detectable footprint.

“We were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world… all without leaving a traceable footprint,” the report states.

The research targeted two major “blind spots” in Windows code:

1. Client-side code — where servers implicitly trust responses from any server they are directed to.
2. Transport-agnostic wrapped server code — where developers rely on frameworks like RPC that abstract away networking, often omitting safeguards against classic server risks.

By chaining these weaknesses, the team developed several attacks, including:

• CVE-2025-32724 — Referral Overflow: Massive LDAP referral lists cause LSASS to crash, forcing a reboot or BSOD.
• CVE-2025-49716 — NetLogon RPC Abuse: Using a “stateless RPC” technique to rapidly exhaust memory on DCs.
• CVE-2025-26673 — TorpeDoS: A single machine can simulate a DDoS flood by pre-binding thousands of RPC sessions.
• CVE-2025-49722 — SpoolSV Printer Enumeration: An authenticated attack that can crash every Windows machine in a domain.

Perhaps the most alarming takeaway is that attackers can “manipulate the Windows platform itself into becoming both the victim and the weapon” — for example, by making DCs in one country flood targets in another, potentially to frame a government.

The Win-DDoS technique is particularly dangerous because it:

• Uses existing, legitimate infrastructure (public DCs).
• Requires no compromise of bots.
• Can be executed with a single command.
• Delivers massive bandwidth potential.

SafeBreach Labs published the proof-of-concept exploit code for these flaws.

Related Posts:

• Hacking the Cloud: Undetectable Crypto Miner on Azure
• PoC Exploit Released for Zero-Click Vulnerability CVE-2024-49113 in Windows
• Adobe Acrobat and Reader Multiple Security Vulnerabilities
• Sensitive information about U.S. House members and staff are being sold
• Nearly two-thirds of the surveillance camera network in Washington, DC, was hijacked by Romanian ransomware suspects