Security researchers have recently unveiled a concerning “zero-click” denial-of-service (DoS) exploit that has the potential to covertly transform thousands of Microsoft Windows Domain Controllers (DCs) into a vast, global botnet. This revelation comes at a time when the cybersecurity landscape is already grappling with unprecedented levels of distributed-denial-of-service (DDoS) activity.
According to Gcore’s latest Radar report, DDoS attacks surged by 56% year-over-year in late 2024. Cloudflare has reported blocking single attack floods that peaked at an astonishing 7.3 Tbps in 2025, marking the largest such incident ever recorded. The financial implications of these attacks are staggering, with the average minute of downtime costing businesses approximately ,000, and typical incidents for small and midsize firms exceeding 0,000.
Win-DoS’ Zero-Click Exploit
A zero-click exploit operates without any user interaction, often taking advantage of software that automatically processes untrusted data. Research from SafeBreach Labs highlights how the Lightweight Directory Access Protocol (LDAP) client in Windows can be compromised through a specially crafted Remote Procedure Call (RPC), leading to the creation of “Win-DDoS.” This attack mechanism directs DCs to target any victim server through an endless series of LDAP referrals.
As each referral is pursued automatically, it enables thousands of DCs worldwide to inadvertently bombard a target with TCP traffic—without the need for malware, credentials, or lateral movement.
| CVE | Component | Privileges Needed | Effect | Patch Month |
|---|---|---|---|---|
| CVE-2025-32724 | LSASS (LDAP client) | None | Memory exhaustion / DC crash | June 2025 |
| CVE-2025-26673 | NetLogon (RPC) | None | TorpeDoS memory crash | May 2025 |
| CVE-2025-49716 | NetLogon (RPC) | None | Stateless RPC DoS | July 2025 |
| CVE-2025-49722 | Print Spooler (RPC) | Authenticated user | Any Windows endpoint crash | July 2025 |
- Win-DDoS – exploits limitless LDAP referrals to recruit public DCs into bandwidth-rich botnets.
- TorpeDoS – separates RPC binding from payload delivery, allowing a single laptop to establish thousands of connections and inundate a server with near-DDoS intensity.
Domain Controllers serve as foundational elements of enterprise identity management. Disabling them can disrupt logons, stall business operations, and severely hinder recovery efforts. Notably, even internal-only DCs are vulnerable; an attacker with minimal network access can redirect machines to external targets or crash them, challenging the long-standing belief that denial-of-service issues are confined to the Internet’s perimeter.
The vulnerabilities also reveal significant architectural oversights. The LDAP client’s referral logic imposes no limits on list size and retains entries in memory until processing is complete, while multiple RPC interfaces permit unbounded allocations per call. These design decisions, largely unchanged for decades, now present “one-packet” kill-switches against contemporary Windows infrastructures.
SafeBreach disclosed these vulnerabilities to Microsoft in March 2025. All four CVEs were addressed in the subsequent June and July Patch Tuesday releases. Administrators are strongly encouraged to apply these patches promptly and ensure that DCs are not exposed to the Internet. In cases where patching is delayed, Microsoft advises disabling unnecessary CLDAP/RPC exposure and implementing rate-limiting on referral traffic.
The emergence of Win-DDoS signifies a shift in tactics, as attackers transition from hijacking IoT devices to utilizing legitimate servers for amplification. This method leaves no malware trace, rendering traditional endpoint detection largely ineffective.
Analysts caution that a state actor could potentially redirect DCs in one nation to inundate critical infrastructure in another, complicating both attribution and response efforts. With DDoS volumes and associated costs reaching unprecedented levels, the identification of a zero-click, no-malware pathway capable of generating trillions of packets daily represents a crucial turning point.
Enterprises are advised to reassess their threat models, recognizing that DCs should not merely be viewed as defensive assets. Implementing DoS hardening measures, traffic caps, RPC monitoring, and rigorous patch management should become integral components of their Active Directory hygiene strategies. Neglecting these precautions risks allowing Windows itself to evolve into the next significant botnet.
