{"id":14598,"date":"2025-08-11T12:06:25","date_gmt":"2025-08-11T12:06:25","guid":{"rendered":"https:\/\/newestek.com\/?p=14598"},"modified":"2025-08-11T12:06:25","modified_gmt":"2025-08-11T12:06:25","slug":"win-ddos-researchers-unveil-botnet-technique-exploiting-windows-domain-controllers","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14598","title":{"rendered":"\u2018Win-DDoS\u2019: Researchers unveil botnet technique exploiting Windows domain controllers"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

At DEF CON 33, security researchers demonstrated a novel distributed denial-of-service technique using weaponized Windows domain controllers (DCs), along with a set of zero-click vulnerabilities affecting Windows services.<\/p>\n

Dubbed \u201cWin-DDoS,\u201d the attack strategy involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the remote procedure call (RPC) framework.<\/p>\n

\u201cWe discovered a novel DDoS technique that could be used to create a malicious botnet leveraging public DCs, three new DoS vulnerabilities that provide the ability to crash DCs without the need for authentication, and one new DoS vulnerability that provides any authenticated user with the ability to crash any DC or Windows computer in a domain,\u201d SafeBreach researchers said in a blog post.<\/p>\n

The discovery came as part of a follow-up research on a previous Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability, LDAPNightmare, for which SafeBreach Labs had released the first PoC exploit in January.<\/p>\n

Attackers can target client-side blind spots<\/h2>\n

Demonstrating how embedded trust in client-side components can be abused, Win-DDoS manipulates the LDAP referral mechanism to redirect DCs to send repeated requests to a victim-controlled endpoint, flooding the target with unintended network traffic.<\/p>\n

According to the researchers<\/a>, a blind spot in the Client code, the service in Domain Controllers that handles client-side logic when processing LDAP referrals or other RPC interactions.<\/p>\n

\u201cClient code expects that the server was chosen by the client and, thus, the server and the information that it returns is usually trusted,\u201d researchers said. \u201c Therefore, if Client code can be remotely triggered to interact with an attacker-controlled server, then we have remote Client code that trusts us more than remote server code probably would.\u201d<\/p>\n

Using the LDAPNightmare vulnerability, tracked as CVE-2024-49113, the researchers were able to create the Win-DDoS technique that would enable attackers to compromise tens of thousands of public DCs around the world to create a botnet with \u2018vast resources and upload rates\u2019.<\/p>\n

Additionally, the LDAP Client code\u2019s referral process lacked limits on list sizes (CVE-2025-32724<\/a>) and freed memory only after completion, allowing an unauthenticated attacker to send oversized lists that crashed Windows LSASS and triggered a blue-screen-of-death (BSOD<\/a>), causing a denial-of-service.<\/p>\n

<\/a>Research revealed more DoS flaws<\/h2>\n

SafeBreach researchers also discovered CVE-2025-26673<\/a> in DC\u2019s Netlogon service, where crafted RPC calls could crash the service remotely without authentication. By exploiting this weakness, attackers could knock out a critical Windows authentication component, potentially locking users out of domain resources until the system is rebooted. Similarly, CVE-2025-49716<\/a> targets Windows Local Security Authority Subsystem Service (LSASS), enabling a remote attacker to send specially formed LDAP queries that destabilize the service, leading to immediate DoS on the affected host.<\/p>\n

Rounding out SafeBreach\u2019s list is CVE-2025-49722<\/a>, a DoS flaw in Windows Print Spooler. This bug can be triggered by sending malformed RPC requests that cause the spooler process to fail, interrupting printing operations and, in some cases, impacting broader system stability.<\/p>\n

While Microsoft has fixed the LDAPNightmare (CVE-2024-49113) and CVE-2025-32724 through December 2024<\/a> and April 2025<\/a> Patch Tuesday releases, respectively, the remaining three of SafeBreach reported flaws remain unaddressed. Microsoft did not immediately respond to CSO\u2019s request for comment. To defend against Win-DDoS and other DoS risks, SafeBreach urges applying Microsoft\u2019s latest patches, limiting DC service exposure, segmenting critical systems, and monitoring for unusual LDAP or RPC traffic to detect attacks early.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

At DEF CON 33, security researchers demonstrated a novel distributed denial-of-service technique using weaponized Windows domain controllers (DCs), along with a set of zero-click vulnerabilities affecting Windows services. Dubbed \u201cWin-DDoS,\u201d the attack strategy involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the remote procedure call (RPC) framework. \u201cWe discovered a novel DDoS technique that could be used to create a… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14598","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14598"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14598\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}