Security researchers have uncovered a “zero-click” denial-of-service chain that can silently turn thousands of Microsoft Windows Domain Controllers (DCs) into a globe-spanning botnet, raising fresh alarms in a year already defined by record-breaking distributed-denial-of-service (DDoS) activity.
DDoS attacks climbed 56% year-over-year in late-2024 according to Gcore’s latest Radar report, and Cloudflare’s network has already blocked single floods peaking at 7.3 Tbps in 2025, the largest ever disclosed.
With the average minute of downtime now costing around $6,000 and typical incidents topping $400,000 for small and midsize firms, defenders face mounting pressure even before new exploitation techniques emerge.
Win-DoS’ Zero-Click Exploit
A zero-click exploit executes without user interaction, typically abusing software that automatically parses untrusted data.
SafeBreach Labs’ new research shows how Windows’ own Lightweight Directory Access Protocol (LDAP) client can be hijacked via a crafted RPC call to build “Win-DDoS,” an attack flow that points DCs at any victim server through endless LDAP referrals.
Because each referral is chased automatically, thousands of DCs worldwide can unwittingly hammer a target with TCP traffic—no malware, credentials, or lateral movement required.
| CVE | Component | Privileges Needed | Effect | Patch Month |
|---|---|---|---|---|
| CVE-2025-32724 | LSASS (LDAP client) | None | Memory exhaustion / DC crash | June 2025 |
| CVE-2025-26673 | NetLogon (RPC) | None | TorpeDoS memory crash | May 2025 |
| CVE-2025-49716 | NetLogon (RPC) | None | Stateless RPC DoS | July 2025 |
| CVE-2025-49722 | Print Spooler (RPC) | Authenticated user | Any Windows endpoint crash | July 2025 |
SafeBreach also weaponised two techniques:
- Win-DDoS – abuses limitless LDAP referrals to conscript public DCs into bandwidth-rich botnets.
- TorpeDoS – splits RPC binding and payload delivery, enabling a single laptop to open thousands of connections and overwhelm a server with near-DDoS force.
Domain Controllers are cornerstones of enterprise identity. Knocking them offline can freeze logons, halt business processes, and cripple recovery.
Even internal-only DCs are susceptible; an attacker who gains minimal network access can redirect machines to external victims or simply crash them, overturning the long-held assumption that denial-of-service is “an Internet-edge problem.”
The defects also expose deep architectural blind spots. The LDAP client’s referral logic places no limits on list size and holds entries in memory until completion, while several RPC interfaces allow unbounded allocations per call.
These design choices, largely unchanged for decades, now present “one-packet” kill-switches against modern Windows fleets.
SafeBreach privately reported the bugs to Microsoft in March 2025. All four CVEs were addressed across the June and July Patch Tuesday releases, and administrators are urged to apply patches immediately and verify DCs are not exposed to the Internet.
Where patching lags, Microsoft recommends disabling unnecessary CLDAP/RPC exposure and implementing rate-limiting on referral traffic.
Win-DoS arrives as attackers pivot from hijacked IoT devices to “living-off-the-infrastructure” strategies that abuse legitimate servers for amplification. Because the technique leaves no malware footprint, traditional endpoint detection offers little help.
Analysts warn that a state actor could redirect DCs in one country to flood critical infrastructure in another, complicating attribution and response.
With DDoS volumes and costs already at all-time highs, the discovery of a zero-click, no-malware pathway to trillions of packets per day marks a pivotal moment.
Enterprises should revisit threat models that treat DCs as purely defensive assets and add DoS hardening, traffic caps, RPC monitoring, and aggressive patch management to their Active Directory hygiene playbooks. Failure to do so risks letting Windows itself become the next great botnet.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
