At DEF CON 33, security researchers demonstrated a novel distributed denial-of-service technique using weaponized Windows domain controllers (DCs), along with a set of zero-click vulnerabilities affecting Windows services.
Dubbed “Win-DDoS,” the attack strategy involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the remote procedure call (RPC) framework.
“We discovered a novel DDoS technique that could be used to create a malicious botnet leveraging public DCs, three new DoS vulnerabilities that provide the ability to crash DCs without the need for authentication, and one new DoS vulnerability that provides any authenticated user with the ability to crash any DC or Windows computer in a domain,” SafeBreach researchers said in a blog post.
The discovery came as part of a follow-up research on a previous Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability, LDAPNightmare, for which SafeBreach Labs had released the first PoC exploit in January.
Attackers can target client-side blind spots
Demonstrating how embedded trust in client-side components can be abused, Win-DDoS manipulates the LDAP referral mechanism to redirect DCs to send repeated requests to a victim-controlled endpoint, flooding the target with unintended network traffic.
According to the researchers, a blind spot in the Client code, the service in Domain Controllers that handles client-side logic when processing LDAP referrals or other RPC interactions.
“Client code expects that the server was chosen by the client and, thus, the server and the information that it returns is usually trusted,” researchers said. “ Therefore, if Client code can be remotely triggered to interact with an attacker-controlled server, then we have remote Client code that trusts us more than remote server code probably would.”
Using the LDAPNightmare vulnerability, tracked as CVE-2024-49113, the researchers were able to create the Win-DDoS technique that would enable attackers to compromise tens of thousands of public DCs around the world to create a botnet with ‘vast resources and upload rates’.
Additionally, the LDAP Client code’s referral process lacked limits on list sizes (CVE-2025-32724) and freed memory only after completion, allowing an unauthenticated attacker to send oversized lists that crashed Windows LSASS and triggered a blue-screen-of-death (BSOD), causing a denial-of-service.
Research revealed more DoS flaws
SafeBreach researchers also discovered CVE-2025-26673 in DC’s Netlogon service, where crafted RPC calls could crash the service remotely without authentication. By exploiting this weakness, attackers could knock out a critical Windows authentication component, potentially locking users out of domain resources until the system is rebooted. Similarly, CVE-2025-49716 targets Windows Local Security Authority Subsystem Service (LSASS), enabling a remote attacker to send specially formed LDAP queries that destabilize the service, leading to immediate DoS on the affected host.
Rounding out SafeBreach’s list is CVE-2025-49722, a DoS flaw in Windows Print Spooler. This bug can be triggered by sending malformed RPC requests that cause the spooler process to fail, interrupting printing operations and, in some cases, impacting broader system stability.
While Microsoft issued fixes only for LDAPNightmare (CVE-2024-49113), CVE-2025-32724, and CVE-2025-49716 in recent Patch Tuesday releases, the rest of SafeBreach reported flaws may have been addressed, too.
“This report has been addressed via CVE-2025-49716 and customers who have installed the latest updates, or have automatic updates enabled, are already protected,” a Microsoft spokesperson told CSO in a comment. “We appreciate the coordination with SafeBreach and are committed to continually improving security for our customers as well as sharing what we have learned with the broader community.”
No Responses