At the DEF CON 33 security conference in Las Vegas, researchers Yair and Shahak Morag from SafeBreach Labs introduced a concerning new category of denial-of-service (DoS) attacks, which they have named the “Win-DoS Epidemic.” Their research uncovered four new vulnerabilities specific to Windows DoS and one zero-click distributed denial-of-service (DDoS) flaw.
The vulnerabilities identified fall under the classification of “uncontrolled resource consumption” and include:
- CVE-2025-26673 (CVSS 7.5): A high-severity DoS vulnerability in Windows LDAP.
- CVE-2025-32724 (CVSS 7.5): A high-severity DoS vulnerability in Windows LSASS.
- CVE-2025-49716 (CVSS 7.5): A high-severity DoS vulnerability in Windows Netlogon.
- CVE-2025-49722 (CVSS 5.7): A medium-severity DoS vulnerability in the Windows Print Spooler, necessitating an authenticated attacker on an adjacent network.
The implications of these findings are significant, as they demonstrate how attackers can incapacitate any Windows endpoint or server, including critical Domain Controllers (DCs). This capability could potentially allow for the weaponization of public DCs, creating a vast DDoS botnet.
The Dangers of DoS on Domain Controllers
Domain Controllers serve as the backbone of most organizational networks, managing user authentication and centralizing resource management. A successful DoS attack on a DC can effectively paralyze an organization, obstructing user logins, resource access, and daily operations.
This research builds upon the team’s earlier discovery of the LdapNightmare vulnerability (CVE-2024-49113), which was the first publicly known DoS exploit for a Windows DC. The current findings expand this threat, moving beyond LDAP to exploit additional core Windows services.
A New Botnet Harnessing Public Infrastructure
One of the most alarming revelations is a novel DDoS technique termed Win-DDoS. This method exploits a flaw in the Windows LDAP client’s referral process. Typically, an LDAP referral directs a client to another server to fulfill a request. However, Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, enabling the DCs to continuously repeat this redirection.
This behavior allows an attacker to leverage the considerable power of tens of thousands of public DCs worldwide, transforming them into a massive, free, and untraceable DDoS botnet. Notably, this attack requires no specialized infrastructure and leaves no forensic trail, as the malicious activity originates from the compromised DCs rather than the attacker’s machine. This marks a significant evolution in DDoS attacks, facilitating high-bandwidth, high-volume assaults without the usual costs or risks associated with maintaining a botnet.
Abusing RPC for System Crashes
In addition to the DDoS botnet, the researchers examined the Remote Procedure Call (RPC) protocol, a fundamental component of Windows for inter-process communication. RPC servers are prevalent in the Windows environment and often present extensive attack surfaces, particularly those that do not require authentication.
The SafeBreach team found that by exploiting security gaps in RPC bindings, they could repeatedly target the same RPC server from a single system, effectively bypassing standard concurrency limits. This approach led to the identification of three new zero-click, unauthenticated DoS vulnerabilities capable of crashing any Windows system, whether servers or endpoints. Additionally, they uncovered another DoS flaw that can be exploited by any authenticated user on the network.
These vulnerabilities challenge the common assumption that internal systems are inherently safe from abuse without a full compromise, illustrating that even minimal access to a network can result in widespread operational failure.
The researchers have made available a suite of tools, collectively named “Win-DoS Epidemic,” designed to exploit these five new vulnerabilities. These tools can remotely crash any unpatched Windows endpoint or server or orchestrate a Win-DDoS botnet using public DCs. The findings emphasize the urgent need for organizations to reevaluate their threat models and security measures, particularly concerning internal systems and services like DCs. While Microsoft has issued patches for the LdapNightmare vulnerability, the new discoveries underscore the ongoing necessity for vigilance and continuous security validation.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
