We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Silent Cyber Weapon Discovered: Hackers Can Now Turn Your Windows Server into a DDoS Weapon

August 11, 2025

A newly unveiled attack method, known as Win-DDoS, has the potential to transform thousands of publicly accessible Windows domain controllers (DCs) into a formidable botnet, capable of executing extensive distributed denial-of-service (DDoS) attacks. This alarming discovery was shared by SafeBreach researchers Or Yair and Shahak Morag during their presentation at the DEF CON 33 security conference.

A New Class of Weaponized Domain Controllers

By taking advantage of vulnerabilities within Windows’ Lightweight Directory Access Protocol (LDAP) client code, cybercriminals can manipulate URL referrals. This manipulation allows them to redirect traffic from compromised DCs to a target server, inundating it with overwhelming traffic. Notably, this method does not necessitate the execution of malicious code or the acquisition of stolen credentials, enabling attackers to operate discreetly and without leaving a trace.

The Win-DDoS attack chain unfolds in a series of methodical steps:

  1. The attacker initiates an RPC request to the DCs, prompting them to function as CLDAP clients.
  2. These clients then connect to the attacker’s CLDAP server, which provides a referral to an LDAP server under the attacker’s control.
  3. The LDAP server responds with a comprehensive referral list, all directing to a single IP and port.
  4. Each referral incites repeated TCP connections to the victim, ultimately exhausting its resources.

Researchers caution that the high bandwidth potential of this technique, coupled with the absence of compromised infrastructure, renders it a stealthy yet powerful cyber weapon.

Critical CVEs and DoS Vulnerabilities

In response to these vulnerabilities, Microsoft has issued patches for four related issues:

  • CVE-2025-26673 – LDAP uncontrolled resource consumption (CVSS 7.5)
  • CVE-2025-32724 – LSASS uncontrolled resource consumption (CVSS 7.5)
  • CVE-2025-49716 – Netlogon uncontrolled resource consumption (CVSS 7.5)
  • CVE-2025-49722 – Print Spooler uncontrolled resource consumption (CVSS 5.7)

These vulnerabilities enable unauthenticated attackers to remotely crash domain controllers or allow authenticated users to disrupt systems on internal networks. SafeBreach has drawn parallels between these flaws and the LDAPNightmare (CVE-2024-49113), highlighting that enterprise security models frequently underestimate the risks posed by denial-of-service attacks targeting internal infrastructure.

The findings emphasize an urgent need for organizations to conduct thorough audits of domain controller exposure, implement the latest security patches, and reevaluate their assumptions regarding the safety of internal networks.

Winsage
Silent Cyber Weapon Discovered: Hackers Can Now Turn Your Windows Server into a DDoS Weapon