{"id":4343,"date":"2025-08-11T12:03:00","date_gmt":"2025-08-11T12:03:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4343"},"modified":"2025-08-11T12:03:00","modified_gmt":"2025-08-11T12:03:00","slug":"win-ddos-researchers-unveil-botnet-technique-exploiting-windows-domain-controllers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4343","title":{"rendered":"\u2018Win-DDoS\u2019: Researchers unveil botnet technique exploiting Windows domain controllers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>At DEF CON 33, security researchers demonstrated a novel distributed denial-of-service technique using weaponized Windows domain controllers (DCs), along with a set of zero-click vulnerabilities affecting Windows services.<\/p>\n<p>Dubbed \u201cWin-DDoS,\u201d the attack strategy involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the remote procedure call (RPC) framework.<\/p>\n<p>\u201cWe discovered a novel DDoS technique that could be used to create a malicious botnet leveraging public DCs, three new DoS vulnerabilities that provide the ability to crash DCs without the need for authentication, and one new DoS vulnerability that provides any authenticated user with the ability to crash any DC or Windows computer in a domain,\u201d SafeBreach researchers said in a blog post.<\/p>\n<p>The discovery came as part of a follow-up research on a previous Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability, LDAPNightmare, for which SafeBreach Labs had released the first PoC exploit in January.<\/p>\n<h2 class=\"wp-block-heading\">Attackers can target client-side blind spots<\/h2>\n<p>Demonstrating how embedded trust in client-side components can be abused, Win-DDoS manipulates the LDAP referral mechanism to redirect DCs to send repeated requests to a victim-controlled endpoint, flooding the target with unintended network traffic.<\/p>\n<p>According to the <a href=\"https:\/\/www.safebreach.com\/blog\/win-dos-epidemic-abusing-rpc-for-dos-and-ddos\/\" target=\"_blank\" rel=\"noopener\">researchers<\/a>, a blind spot in the Client code, the service in Domain Controllers that handles client-side logic when processing LDAP referrals or other RPC interactions.<\/p>\n<p>\u201cClient code expects that the server was chosen by the client and, thus, the server and the information that it returns is usually trusted,\u201d researchers said. \u201c Therefore, if Client code can be remotely triggered to interact with an attacker-controlled server, then we have remote Client code that trusts us more than remote server code probably would.\u201d<\/p>\n<p>Using the LDAPNightmare vulnerability, tracked as CVE-2024-49113, the researchers were able to create the Win-DDoS technique that would enable attackers to compromise tens of thousands of public DCs around the world to create a botnet with \u2018vast resources and upload rates\u2019.<\/p>\n<p>Additionally, the LDAP Client code\u2019s referral process lacked limits on list sizes (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-32724\" target=\"_blank\" rel=\"noopener\">CVE-2025-32724<\/a>) and freed memory only after completion, allowing an unauthenticated attacker to send oversized lists that crashed Windows LSASS and triggered a blue-screen-of-death (<a href=\"https:\/\/www.csoonline.com\/article\/2589942\/blue-screen-of-death-strikes-crowd-of-crowdstrike-servers.html?_conv_v=vi:1*sc:89*cs:1754909093*fs:1749616006*pv:401*exp:%7B%7D*seg:%7B%7D*ps:1754649498&amp;_conv_s=sh:1754909093366-0.667448692956828*si:89*pv:6&amp;_conv_sptest=null\">BSOD<\/a>), causing a denial-of-service.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Research revealed more DoS flaws<\/h2>\n<p>SafeBreach researchers also discovered<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-26673\" target=\"_blank\" rel=\"noopener\"> CVE-2025-26673<\/a> in DC\u2019s Netlogon service, where crafted RPC calls could crash the service remotely without authentication. By exploiting this weakness, attackers could knock out a critical Windows authentication component, potentially locking users out of domain resources until the system is rebooted. Similarly, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-49716\" target=\"_blank\" rel=\"noopener\">CVE-2025-49716<\/a> targets Windows Local Security Authority Subsystem Service (LSASS), enabling a remote attacker to send specially formed LDAP queries that destabilize the service, leading to immediate DoS on the affected host.<\/p>\n<p>Rounding out SafeBreach\u2019s list is<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-49722\" target=\"_blank\" rel=\"noopener\"> CVE-2025-49722<\/a>, a DoS flaw in Windows Print Spooler. This bug can be triggered by sending malformed RPC requests that cause the spooler process to fail, interrupting printing operations and, in some cases, impacting broader system stability.<\/p>\n<p>While Microsoft issued fixes only for LDAPNightmare (CVE-2024-49113), CVE-2025-32724, and CVE-2025-49716 in recent Patch Tuesday releases, the rest of SafeBreach reported flaws may have been addressed, too.\u00a0<\/p>\n<p>\u201cThis report has been addressed via\u00a0<a href=\"https:\/\/url.usb.m.mimecastprotect.com\/s\/39A2COJvZvFNWxq0iEfMsGHQKQ?domain=msrc.microsoft.com\">CVE-2025-49716<\/a>\u00a0and customers who have installed the latest updates, or have automatic updates enabled, are already protected,\u201d a Microsoft spokesperson told CSO in a comment. \u201cWe appreciate the coordination with SafeBreach\u00a0and are committed to continually improving security for our customers as well as sharing what we have learned with the broader community.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>At DEF CON 33, security researchers demonstrated a novel distributed denial-of-service technique using weaponized Windows domain controllers (DCs), along with a set of zero-click vulnerabilities affecting Windows services. Dubbed \u201cWin-DDoS,\u201d the attack strategy involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the remote procedure call (RPC) framework. \u201cWe discovered a [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4327,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4343","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4343"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4343"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4343\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4327"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}