LAS VEGAS — At the DEF CON 33 security conference, researchers Yair and Shahak Morag of SafeBreach Labs unveiled a new class of denial-of-service (DoS) attacks, dubbed the “Win-DoS Epidemic.”
The duo presented their findings, which include four new Windows DoS vulnerabilities and one zero-click distributed denial-of-service (DDoS) flaw.
The discovered flaws, all of which are categorized as “uncontrolled resource consumption,” include:
- CVE-2025-26673 (CVSS 7.5): A high-severity DoS vulnerability in Windows LDAP.
- CVE-2025-32724 (CVSS 7.5): A high-severity DoS vulnerability in Windows LSASS.
- CVE-2025-49716 (CVSS 7.5): A high-severity DoS vulnerability in Windows Netlogon.
- CVE-2025-49722 (CVSS 5.7): A medium-severity DoS vulnerability in the Windows Print Spooler, which requires an authenticated attacker on an adjacent network.
The research demonstrates how attackers can crash any Windows endpoint or server, including critical Domain Controllers (DCs), and even weaponize public DCs to create a massive DDoS botnet.
“We present “Win-DoS Epidemic” – DoS tools exploiting four new Win-DoS and one Win-DDoS zero-click vulns! Crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS. The epidemic has begun” Researchers said.
The Dangers of DoS on Domain Controllers
Domain Controllers are the backbone of most organizational networks, handling authentication and centralizing user and resource management.
A successful DoS attack against a DC can paralyze an entire organization, making it impossible for users to log in, access resources, or perform daily operations.
The researchers’ work builds on their previous discovery, the LdapNightmare vulnerability (CVE-2024-49113), which was the first public DoS exploit for a Windows DC. The new findings expand this threat significantly, moving beyond just LDAP to abuse other core Windows services.
A New Botnet Harnessing Public Infrastructure
The most alarming discovery is a novel DDoS technique, which the researchers have named Win-DDoS. This attack leverages a flaw in the Windows LDAP client’s referral process.
In a normal operation, an LDAP referral directs a client to a different server to fulfill a request. Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, and crucially, they found a way to make the DCs relentlessly repeat this redirection.
This behavior allows an attacker to harness the immense power of tens of thousands of public DCs worldwide, turning them into a massive, free, and untraceable DDoS botnet.
The attack requires no special infrastructure and leaves no forensic trail, as the malicious activity originates from the compromised DCs, not the attacker’s machine.
This technique represents a significant shift in DDoS attacks, as it allows for high-bandwidth, high-volume attacks without the typical costs or risks associated with setting up and maintaining a botnet.
Abusing RPC for System Crashes
In addition to the DDoS botnet, the researchers focused on the Remote Procedure Call (RPC) protocol, which is a fundamental component of Windows for inter-process communication.
RPC servers are ubiquitous in the Windows environment and often have wide attack surfaces, especially those that don’t require authentication.
The SafeBreach team found that by abusing security gaps in RPC bindings, they could repeatedly hit the same RPC server from a single system, effectively bypassing standard concurrency limits.
This method allowed them to discover three new zero-click, unauthenticated DoS vulnerabilities that can crash any Windows system—servers and endpoints alike.
They also found another DoS flaw that can be exploited by any authenticated user on the network.
These vulnerabilities break common assumptions that internal systems are safe from abuse without a full compromise, demonstrating that even a minimal presence on a network can be used to cause widespread operational failure.
The researchers have released a set of tools, collectively called “Win-DoS Epidemic,” that exploit these five new vulnerabilities. The tools can be used to crash any unpatched Windows endpoint or server remotely, or to orchestrate a Win-DDoS botnet using public DCs.
These findings underscore the critical need for organizations to reassess their threat models and security postures, particularly regarding internal systems and services like DCs.
Microsoft has since released patches for the LdapNightmare vulnerability, but the new discoveries highlight the ongoing need for vigilance and continuous security validation.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
