SafeBreach researchers have unveiled critical vulnerabilities that pose significant risks to Windows Active Directory domain controllers (DCs). Among these vulnerabilities, CVE-2025-32724 stands out, as it can be exploited to compel public DCs to engage in distributed denial-of-service (DDoS) attacks. This new method, termed Win-DDoS, relies on the attackers’ capacity to deceive public DCs into connecting to a Lightweight Directory Access Protocol (LDAP) server they control, instructing these DCs on which target server to inundate with requests.
CVE-2025-32724 and the Win-DDoS technique
Domain controllers serve as the backbone of security, authentication, and access control within a network domain. While alternatives exist, most organizations predominantly utilize Windows Server machines running Active Directory Domain Services (AD DS) for this purpose.
Building on their previous work regarding the LDAPNightmare vulnerability (CVE-2024-49113), the researchers have identified several similar denial-of-service vulnerabilities within Windows Server and Windows:
- CVE-2025-32724: This vulnerability allows for uncontrolled resource consumption in the Windows Local Security Authority Subsystem Service (LSASS), enabling attackers to either DoS a vulnerable, internet-exposed server or force it into a Win-DDoS attack.
- CVE-2025-26673 and CVE-2025-49716: Both of these vulnerabilities permit uncontrolled resource consumption in Windows LDAP and Windows Netlogon, respectively, making them potential tools for DoS attacks against vulnerable DCs.
- CVE-2025-49722: This vulnerability allows for uncontrolled resource consumption in Windows Print Spooler Components, which can lead to crashes of DCs and other Windows machines within a domain.
The first three vulnerabilities can be triggered remotely by unauthenticated attackers, while the last one requires limited privileges—any user account will suffice for authentication.
The researchers emphasized, “The vulnerabilities we discovered are zero-click, unauthenticated vulnerabilities that allow attackers to crash these systems remotely if they are publicly accessible. They also demonstrate how attackers with minimal access to an internal network can trigger similar outcomes against private infrastructure.” They further noted, “Our findings challenge common assumptions in enterprise threat modeling: that DoS risks are confined to public services and that internal systems remain safe from abuse unless fully compromised. The implications for enterprise resilience, risk modeling, and defense strategies are profound.”
With the advent of Win-DDoS, attackers can exploit the Windows platform as a weapon without needing to breach systems, execute code, or possess valid credentials. The attack unfolds as follows:
- Attackers send a specially crafted RPC call to internet-reachable DCs, converting them into CLDAP clients that connect to the attackers’ CLDAP server.
- The CLDAP server responds with an LDAP referral, directing the DC to contact the attacker’s LDAP/TCP server next.
- The LDAP/TCP server then provides a referral list containing thousands of LDAP URLs that resolve to the same victim IP and port.
The researchers elaborated, “The DCs then send an LDAP query to that port, which could be a web server’s port. Since web servers do not expect LDAP packets, which are invalid HTTP packets, most simply terminate the TCP connection. Once the connection is aborted, the DCs proceed to the next referral on the list, which points back to the same server. This cycle continues until all URLs in the referral list are exhausted, culminating in our innovative Win-DDoS attack technique.”
What to do?
Microsoft has addressed all four vulnerabilities by releasing security updates for supported Windows Servers and Windows versions in April, June, and July 2025. With the details of these vulnerabilities and their exploit modules now public, organizations that have yet to implement the necessary patches are urged to act promptly.
“Organizations must assume that all of their servers and endpoints are potential targets for DDoS attacks, regardless of whether they are publicly accessible. In response, they should establish robust mitigations against such attacks within their infrastructure, ensuring they can both defend their assets and swiftly identify the sources of any attacks,” advised SafeBreach researchers Or Yair and Shahak Morag.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
