Ddos 
A newly disclosed denial-of-service (DoS) vulnerability in Windows Deployment Services (WDS) threatens enterprise networks with remote, unauthenticated crashes, according to a detailed technical analysis by security researcher Zhiniang Peng. The flaw, uncovered in early 2025 and responsibly disclosed to Microsoft, enables attackers to exhaust system memory using spoofed UDP packets, causing the server to become completely unresponsive within minutes—without any authentication or user interaction.
“We demonstrate an remote DoS in WDS, which attacker can crash your WDS network without authentication (preauth) or user interaction (0-click),” Peng explains in his report.
At the root of the issue lies WDS’s use of a UDP-based TFTP service (port 69) for delivering Windows installation images over PXE boot. When a client contacts the server, WDS allocates a CTftpSession object. However, there’s no limit on the number of sessions that can be created.
“The core issue is that EndpointSessionMapEntry imposes no limit on the number of sessions,” the report states. “An attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted.”
In a test environment running Windows Server Insider Preview with 8GB of RAM, Peng was able to crash the entire system within 7 minutes, simply by sending a flood of spoofed UDP packets with randomized source addresses and ports.
Peng outlines a simple attack strategy that requires:
- Spoofing UDP packets with random source IPs and ports.
- Sending the packets to the target WDS server on port 69.
- Allowing WDS to create and store unlimited session objects in memory.
Although Peng only provides pseudocode for ethical reasons, the exploit technique is trivial to implement, requiring only basic scripting on an attacker machine running Ubuntu or similar OS.
The bug was reported to Microsoft on February 8, 2025, and acknowledged by March 4, 2025. However, Microsoft later declined to patch the issue, stating on April 23 that it “doesn’t meet the bar for security service.”
Peng sharply criticizes the decision: “We consider it remains an important DoS vulnerability in their SDL bar and we feel really bad when communicating with Microsoft on this case.”
He emphasizes that this is a zero-click attack that can remotely paralyze PXE-based deployment infrastructure, making it a critical issue for any organization relying on WDS.
Because Microsoft has not issued a fix, Peng provides a clear-cut recommendation: “To save your PXE network from this threat, do not use Windows Deployment Service.”