Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Win-DoS Epidemic: New DoS and DDoS Attacks Start with Microsoft Windows

Redazione RHC : 11 August 2025 09:05

During the security conference DEF CON33, a team of industry specialists, Yair and Shahak Morag, from SafeBreach Labs, presented a novel category of denial-of-service (DoS) attacks they’ve dubbed the “Win-DoS Epidemic.” The research demonstrates how attackers can take down any Windows endpoint or server, including critical domain controllers (DCs), and even weaponize public DCs to create a large-scale DDoS botnet.

Their findings, which include four Windows DoS vulnerabilities and a Distributed Denial-of-Service (DDoS) attacks that can be activated without a click were presented by the two researchers. The discovered flaws, all classified as “uncontrolled resource consumption,” include:

  • CVE-2025-26673 (CVSS 7.5): A high severity denial of service vulnerability in Windows LDAP.
  • CVE-2025-32724 (CVSS 7.5):A high severity DoS vulnerability in Windows LSASS.
  • CVE-2025-49716 (CVSS 7.5): A High Severity DoS Vulnerability in Windows Netlogon.
  • CVE-2025-49722 (CVSS 5.7): A medium-severity DoS vulnerability in the Windows print spooler, requiring an authenticated attacker on an adjacent network.

A successful DoS attack against a DC can cripple an entire organization, making it impossible for users to log in, access resources, or perform daily operations. “Introducing the ‘Win-DoS Epidemic’: DoS tools that exploit four new zero-click Win-DoS vulnerabilities and one Win-DDoS! They crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS attacks. The epidemic has begun,” the researchers said.

Domain controllers form the backbone of most enterprise networks, handling authentication and centralizing user and resource management. The researchers’ work builds on their previous discovery, the LdapNightmare vulnerability (CVE-2024-49113), which was the first public DoS exploit for a Windows domain controller. The new findings significantly expand this threat, going beyond just LDAP to abuse other core Windows services.

This behavior allows an attacker to harness the immense power of tens of thousands of public DCs around the world, turning them into a massive, free, and untraceable DDoS botnet. The attack requires no special infrastructure and leaves no forensic traces, as the malicious activity originates from the compromised DCs, not the attacker’s computer.

The most alarming discovery is the new DDoS technique, which researchers have dubbed Win-DDoS. This attack exploits a flaw in the Windows LDAP client referral process. In normal operation, an LDAP referral directs a client to a different server to fulfill a request. Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, and crucially, they found a way to cause the DCs to incessantly repeat this redirection.

This technique represents a significant shift in DDoS attacks, enabling high-bandwidth, high-volume attacks without the typical costs or risks associated with setting up and maintaining a botnet.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli