New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP

Threat Score:
67
5 articles
100.0% similarity
2 days ago

Article Timeline

5 articles
Click to navigate
Aug 10
Aug 10
Aug 11
Aug 11
Aug 11
Oldest
Latest

Key Insights

1
Researchers revealed a zero-click exploit named 'Win-DDoS' that can weaponize Windows Domain Controllers into a botnet for DDoS attacks, raising concerns amid rising DDoS incidents in 2025.
2
DDoS attacks surged 56% year-over-year in late 2024, with Cloudflare reporting peak traffic of 7.3 Tbps in 2025, the highest ever recorded.
3
The Win-DDoS technique leverages vulnerabilities in the Windows LDAP client, particularly exploiting CVE-2025-32724, allowing attackers to crash domain controllers without authentication.
4
SafeBreach Labs identified multiple DoS vulnerabilities, including CVE-2025-26673 and CVE-2025-49716, which contribute to the exploitation of Windows servers and are critical for security teams to address.
5
The attack involves manipulating LDAP referrals to redirect traffic from multiple domain controllers to a target server, effectively turning the Windows infrastructure into a weapon.
6
Experts warn that attackers do not need to execute malware or obtain credentials, making it easier to conduct large-scale DDoS attacks using public domain controllers.

Threat Overview

Security researchers have unveiled a new zero-click exploit named 'Win-DDoS' that can transform Microsoft Windows Domain Controllers (DCs) into a botnet capable of executing distributed denial-of-service (DDoS) attacks. The findings were presented by researchers from SafeBreach Labs at DEF CON 33 on August 11, 2025. With DDoS attacks having increased 56% year-over-year in late 2024, and Cloudflare reporting peak attack traffic of 7.3 Tbps this year, the implications of this discovery are significant. According to SafeBreach, 'We discovered a novel DDoS technique that could be used to create a malicious botnet leveraging public DCs,' highlighting the ease with which attackers can exploit these vulnerabilities without requiring user interaction or authentication.

The 'Win-DDoS' technique exploits the Lightweight Directory Access Protocol (LDAP) client in Windows, specifically targeting how LDAP referrals are processed. By sending crafted Remote Procedure Calls (RPC) to domain controllers, attackers can manipulate these referrals to direct traffic towards a victim server. This allows for a continuous flood of TCP traffic as the DCs chase the referrals, effectively overwhelming the target. The researchers identified several vulnerabilities, including CVE-2025-32724, which facilitates this exploitation by allowing uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS).

The discovery builds upon previous research into the LDAPNightmare vulnerability (CVE-2024-49113), prompting SafeBreach to explore additional DoS vulnerabilities in Windows Server. The researchers noted, 'The embedded trust in client-side components can be abused,' allowing attackers to exploit blind spots in DCs' handling of LDAP referrals. Consequently, the attack can occur without the need for malware or lateral movement within networks, raising alarm among security professionals who must now contend with these new exploitation techniques.

In response to the findings, the cybersecurity community is urging immediate action. Security teams are advised to patch affected systems promptly and implement network monitoring to detect unusual traffic patterns that may indicate exploitation attempts. Security vendors are expected to release updates addressing these vulnerabilities, with SafeBreach emphasizing the need for robust defensive measures. In their report, they stated, 'All without purchasing anything and without leaving a traceable footprint,' underscoring the potential for widespread abuse.

As organizations work to mitigate the risks presented by Win-DDoS, they are encouraged to review their security postures and ensure that systems are updated to the latest versions. Failure to address these vulnerabilities could lead to significant operational disruptions, with the average minute of downtime costing around $6,000 for small and midsize firms. Security experts recommend immediate engagement with vendor advisories to secure systems against this emerging threat.

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - Attackers exploit crafted RPC calls to manipulate LDAP referrals towards victim servers, enabling DDoS attacks [1][2]
T1566.001
Spearphishing Attachment - Attackers can use phishing methods to exploit vulnerabilities in organizational DCs [3]
T1059.007
JavaScript/JScript - The attack technique does not require code execution, relying instead on the manipulation of existing protocols [4]
T1557
Adversary-in-the-Middle - Manipulation of LDAP referrals allows attackers to redirect traffic without user interaction [2][5]
T1609
Network Denial of Service - The Win-DDoS technique effectively creates a denial-of-service condition through excessive traffic from DCs [3][4]
T1055
Process Injection - Although not directly applicable, the technique highlights the absence of traditional malware use [5]
T1203
Exploitation for Client Execution - The zero-click nature of the exploit allows it to function without user action [1][2]

Timeline of Events

2025-01-15
SafeBreach Labs releases the first PoC exploit for LDAPNightmare vulnerability [1]
2025-08-10
SafeBreach researchers present findings on Win-DDoS at DEF CON 33 [4]
2025-08-11
Research details on Win-DDoS and associated vulnerabilities become public [2][3]
2025-08-11
Cloudflare reports record DDoS attack traffic of 7.3 Tbps [1]
2025-08-11
SafeBreach researchers warn about the ease of exploitation without malware or credentials [5]
Ongoing
Security teams urged to patch affected systems and monitor for unusual traffic patterns [4]

Source Citations

expert_quotes: {'Cloudflare': 'Article 1', 'SafeBreach Labs': 'Articles 2, 4'}
primary_findings: {'DDoS traffic statistics': 'Articles 1, 4', 'Win-DDoS exploit details': 'Articles 1, 2, 3', 'Vulnerability disclosures': 'Articles 1, 5'}
technical_details: {'Exploitation impact': 'Articles 1, 5', 'Attack methods and techniques': 'Articles 2, 3, 4'}
Powered by ThreatCluster AI
Generated 1 day ago
AI analysis may contain inaccuracies

Related Articles

5 articles
1

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP

The Hacker News 2 days ago

A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct power distributed denial-of-service (DDoS) attacks. The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, whopresentedtheir findings at the DEF CON 33 security conference today. "As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to

Score
54
95.0% similarity
Read more
2

Win-DoS’ Zero-Click Exploit Could Weaponize Windows Infrastructure for DDoS Attacks

GB Hackers 1 day ago

Win-DoS’ Zero-Click Exploit Could Weaponize Windows Infrastructure for DDoS Attacks Security researchers have uncovered a “zero-click” denial-of-service chain that can silently turn thousands ofMicrosoft Windows Domain Controllers (DCs)into a globe-spanning botnet, raising fresh alarms in a year already defined by record-breaking distributed-denial-of-service (DDoS) activity. DDoS attacks climbed 56% year-over-year in late-2024 according to Gcore’s latest Radar report, and Cloudflare’s network h

Score
54
100.0% similarity
Read more
3

New ‘Win-DoS’ Zero-Click Vulnerabilities Turns Windows Server/Endpoint, Domain Controllers Into DDoS Botnet

Cybersecurity News 2 days ago

LAS VEGAS — At the DEF CON 33 security conference, researchers Yair and Shahak Morag of SafeBreach Labs unveiled a new class of denial-of-service (DoS) attacks, dubbed the “Win-DoS Epidemic.” The duo presented their findings, which include four new Windows DoS vulnerabilities and one zero-click distributed denial-of-service (DDoS) flaw. The discovered flaws, all of which […]

Score
53
95.0% similarity
Read more
4

‘Win-DDoS’: Researchers unveil botnet technique exploiting Windows domain controllers

CSO Online 1 day ago

At DEF CON 33, security researchers demonstrated a novel distributed denial-of-service technique using weaponized Windows domain controllers (DCs), along with a set of zero-click vulnerabilities affecting Windows services. Dubbed “Win-DDoS,” the attack strategy involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the remote procedure call (RPC) framework. “We discovered a novel DDoS technique that could be used to create a malicious botnet leveragi

Score
51
100.0% similarity
Read more
5
Win-DDoS: Attackers can turn public domain controllers into DDoS agents

Win-DDoS: Attackers can turn public domain controllers into DDoS agents

Feeds2 1 day ago

Win-DDoS: Attackers can turn public domain controllers into DDoS agents SafeBreach researchers have released details on several vulnerabilities that could be exploited by attackers to crash Windows Active Directory domain controllers (DCs), one one of which (CVE-2025-32724) can also be leveraged to force public DCs to participate in distributed denial-of-service (DDoS) attacks. Win-DDoS – as the researchers dubbed this new attack technique – hinges on the attackers’ ability to trick public DCs i

Score
49
100.0% similarity
Read more