New ‘Win-DoS’ Zero-Click Vulnerabilities Turn Windows Servers & Domain Controllers into a DDoS Botnet Date: 11 Aug 2025 (IST) Author: CyberDudeBivash — your daily dose of ruthless, engineering-grade threat intel.
Executive summary
SafeBreach researchers unveiled a new class of Windows denial-of-service issues—Win-DoS—and a novel DDoS technique dubbed Win-DDoS that can conscript public Domain Controllers (DCs) into a high-bandwidth botnet without malware, credentials, or user interaction. Microsoft addressed the underlying flaws across the May–July 2025 Patch Tuesdays. If your DCs or Windows servers are reachable over the internet (or poorly segmented internally), treat this as priority-1 patching and egress-filtering work. SafeBreachThe Hacker News
What actually broke (CVE quick map)
Microsoft fixed four “uncontrolled resource consumption” bugs that the research chains into Win-DDoS/Win-DoS effects:
-
CVE-2025-26673 (LDAP client) — unauth DoS over the network (fixed May 2025). The Hacker News
-
CVE-2025-32724 (LSASS) — unauth DoS (fixed June 2025). The Hacker News
-
CVE-2025-49716 (Netlogon) — unauth DoS (fixed July 2025). The Hacker News
-
CVE-2025-49722 (Print Spooler) — authenticated adjacent-network DoS (fixed July 2025). The Hacker News
Related context: CVE-2025-47978 “NOTLogon” (July 8, 2025) is another DC-killing DoS in Netlogon discovered by Silverfort; patch it in the same maintenance window. Silverfort
The Win-DDoS attack flow (zero-click on the victim DC)
-
Trigger CLDAP from afar: An attacker sends a specific RPC call that turns a DC into a CLDAP client. The Hacker News
-
Referral games: The attacker’s CLDAP server replies with a referral to their LDAP server, switching UDP→TCP. The Hacker News
-
Referral list bomb: The LDAP server returns a very long referral list, all pointing to the same target IP/port. The DC dutifully iterates the list, repeatedly connecting to the target, amplifying traffic without tripping classic DDoS signatures. The Hacker News
-
Stealth & scale: Because traffic originates from legitimate DCs (often tens of thousands are publicly reachable), the attack is high-bandwidth, “infrastructure-free,” and low-forensic-noise. SafeBreach
Win-DoS (local crash vector)
The same referral logic and new RPC call-rate tricks can crash LSASS or kernel via resource exhaustion—blue screen or auto-reboot—on DCs and Windows endpoints with no authentication required for several paths. SafeBreach
Real-world impact scenarios
-
Org-wide outage: DC crashes halt Kerberos/NTLM, Group Policy, and logons—business stops. (Win-DoS) SafeBreach
-
“Reflected” nation-state-style DDoS: Adversaries point foreign DCs at a target to muddy attribution and generate huge TCP churn against the victim. (Win-DDoS) SafeBreachThe Hacker News
-
Internal sabotage: Minimal foothold + RPC access inside the LAN can repeatedly brick DCs without code execution. (Win-DoS) SafeBreach
Are you exposed? Quick checks
-
Internet exposure: Any LDAP/CLDAP/RPC service from DCs visible to the internet is a red flag. Even if firewalled, permissive egress lets DCs attack others. (Block both directions.) SafeBreach
-
Patch status: Confirm May–July 2025 cumulative updates across DCs and member servers. The four CVEs above span those months. The Hacker News
-
Netlogon health: Ensure July 8, 2025 updates (NOTLogon) are present. Silverfort
Detection & hunting ideas (practical)
Network/EDR:
-
Spike of outbound LDAP/CLDAP from DCs to one external IP/port with many short TCP connects/resets. (Sysmon Event ID 3 on DCs; correlate high connection counts/min.) SafeBreach
-
Unusual CLDAP (UDP/389) egress from DCs at all (most orgs never allow it to the internet). SafeBreach
Example Sigma-style (conceptual):
-
Source: DCs; Event: network-connect; Filter:
dest_port in [389, 636, 80, 443] AND dest_ip not in org_allowlist AND connections_per_minute > threshold.
Windows telemetry clues (crash path):
-
Application Error logs on
lsass.exefollowed by Event ID 6008 (unexpected shutdown) or Kernel-Power 41. Investigate preceding RPC/LDAP chatter to non-org IPs. SafeBreach
Mitigation & hardening (do these now)
-
Patch in order: Apply May–July 2025 cumulative updates to address CVE-2025-26673/32724/49716/49722; verify with your WSUS/Intune reports. The Hacker News
-
Egress-filter DCs:
-
Block DC outbound to the internet except to explicit allowlists (CRLs/OCSP, update endpoints, LDAPS to trusted partners).
-
Deny CLDAP (UDP/389) entirely at the edge; restrict LDAP/LDAPS (389/636) strictly. SafeBreach
-
-
Ingress control: No DC should be internet-reachable on RPC/LDAP/SMB/Spooler. If you must publish directory services, front them with proxies and DoS controls. SafeBreach
-
RPC hygiene: Limit RPC dynamic ports (GPO) and enforce host firewalls to only trusted management subnets. (Reduces attack surface for the RPC-based DoS.) SafeBreach
-
Monitoring guardrails:
-
Alert on >N outbound connections/minute from DCs to a single IP.
-
Detect LDAP referral storms (repeated TCP connects with similar SNI/port from DCs). The Hacker News
-
-
Incident playbook (if hit):
-
Isolate the noisy DC at the switch or firewall; keep one healthy DC serving auth.
-
Capture netflow/pcaps to identify the referral target IP and the triggering source(s).
-
Reset DC after confirming patch level; re-enable with tightened egress ACLs. SafeBreach
-
Why this matters (bigger picture)
Win-DDoS shows you can weaponize trusted core services (LDAP client in DCs) as amplifiers without compromise. It breaks common assumptions in enterprise threat models—DoS is not just an “external web thing,” and internal infrastructure can become an attacker’s cannon. Treat DCs like crown-jewel applications with strict egress/ingress policies, not just “authentication appliances.” SafeBreach
References & latest
-
SafeBreach technical write-up and DEF CON 33 talk (Aug 10, 2025). SafeBreach
-
The Hacker News summary with CVE mapping and patch months (Aug 10, 2025). The Hacker News
-
Silverfort “NOTLogon” (CVE-2025-47978) DC DoS (patched July 8, 2025). Silverfort
Comments
Post a Comment