Security researchers recently received a series of zero-click vulnerabilities in Windows that could turn critical infrastructure into a global botnet.
In a presentation at DEF CON 33, the world’s largest hacking convention, SafeBreach Labs researchersrevealed a new class of exploits dubbed the “Win-DoS Epidemic.” These flaws, found across core Windows components, enable attackers to crash domain controllers and other Windows servers remotely—without any user interaction or authentication—and leverage them to launch enormous, untraceable DDoS (distributed denial-of-service) attacks.
The scope of the threat is extensive, allowing hijacking of thousands of publicly accessible domain controllers worldwide, all acting as unwitting soldiers in a massive, free DDoS army, harnessing the power of legitimate Windows infrastructure for malicious purposes.
The researchers uncovered four critical vulnerabilities:
- CVE-2025-26673 (Netlogon): Crashes domain controllers via resource exhaustion.
- CVE-2025-32724 (LDAP): Exploits referral handling to crash Active Directory servers.
- CVE-2025-49716 (Netlogon): Uses incorrect memory management to cause crashes.
- CVE-2025-49722 (Print Spooler): Allows authenticated attackers to crash Windows endpoints.
- Most of these are unauthenticated, meaning anyone on the network—or even from the internet—can trigger them. The vulnerabilities revolve around how Windows handles resource allocation and referral processes, exposing fundamental flaws in core services.
Most of these are unauthenticated, meaning anyone on the network—or even from the internet—can trigger them. The vulnerabilities revolve around how Windows handles resource allocation and referral processes, exposing fundamental flaws in core services.
This research identifies a vulnerability in how LDAP referrals are processed, which is exploited by the Win-DDoS technique to coordinate DDoS attacks using Windows domain controllers. Attackers send crafted referral responses pointing to a target server, causing the domain controllers to flood the target with requests. By looping long referral lists, they generate significant traffic—potentially reaching terabit levels—without requiring malware or device compromise. This method enables large-scale, hard-to-trace attacks leveraging existing infrastructure.
This approach requires no malware, no compromise of devices, and leaves no footprint making it a nightmare for defenders and giving opportunity for attackers to:
- Crash any Windows server or endpoint remotely, including critical domain controllers.
- Create a massive, cost-free DDoS army using public infrastructure, with no need for malware or device breaches.
- Disrupt entire networks, halt operations, and cause millions in damages all without alerting defenders until it’s too late.
The vulnerabilities threaten to upend conventional security assumptions, emphasizing the urgent need for proactive monitoring, strict access controls, and rapid patch deployment.
Microsoft has acknowledged these findings and released patches for some of the vulnerabilities. But in the fast-moving world of cyber threats, patching is just one part of the solution. Additional best practices include implementing network segmentation and strict access controls, monitoring for abnormal referral traffic and resource spikes, limiting exposure of domain controllers and critical services, staying up to date with products and vendor notices, and applying security updates promptly.
As attackers find new ways to weaponize trusted systems, organizations must stay vigilant.
See an in-depth analysis of Safe Breach’s findings and report on their official post here.
Leave a Reply