A newly disclosed attack method, dubbed Win-DDoS, could enable cybercriminals to convert thousands of publicly accessible Windows domain controllers (DCs) into a powerful botnet, capable of unleashing large-scale distributed denial-of-service (DDoS) attacks. The discovery was presented by SafeBreach researchers Or Yair and Shahak Morag at the DEF CON 33 security conference.
A New Class of Weaponized Domain Controllers
By exploiting flaws in Windows’ Lightweight Directory Access Protocol (LDAP) client code, attackers can manipulate URL referrals to redirect traffic from compromised DCs to a target server, overwhelming it with traffic. This method requires no malicious code execution or stolen credentials, allowing attackers to operate without leaving a trace.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
The Win-DDoS attack chain works as follows:
The attacker sends an RPC request to DCs, prompting them to act as CLDAP clients.
These clients connect to the attacker’s CLDAP server, which issues a referral to an LDAP server under the attacker’s control.
The LDAP server responds with an extensive referral list, all pointing to a single IP and port.
Each referral triggers repeated TCP connections to the victim, exhausting its resources.
Researchers warn that this technique’s high bandwidth potential, combined with the fact that no compromised infrastructure is needed, makes it a stealthy and potent cyber weapon.
Critical CVEs and DoS Vulnerabilities
Microsoft has patched four related vulnerabilities:
- CVE-2025-26673 – LDAP uncontrolled resource consumption (CVSS 7.5)
- CVE-2025-32724 – LSASS uncontrolled resource consumption (CVSS 7.5)
- CVE-2025-49716 – Netlogon uncontrolled resource consumption (CVSS 7.5)
- CVE-2025-49722 – Print Spooler uncontrolled resource consumption (CVSS 5.7)
These flaws allow unauthenticated attackers to remotely crash domain controllers or authenticated users to disrupt systems on internal networks. SafeBreach likened the flaws to LDAPNightmare (CVE-2024-49113), warning that enterprise security models often underestimate the risk of denial-of-service attacks against internal infrastructure.
The findings underscore a pressing need for organizations to audit domain controller exposure, apply the latest security patches, and reassess assumptions about internal network safety.