{"id":6043,"date":"2025-08-11T10:03:49","date_gmt":"2025-08-11T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/11\/new-win-dos-zero-click-vulnerabilities-turns-windows-server-endpoint-domain-controllers-into-ddos-botnet\/"},"modified":"2025-08-11T10:03:49","modified_gmt":"2025-08-11T10:03:49","slug":"new-win-dos-zero-click-vulnerabilities-turns-windows-server-endpoint-domain-controllers-into-ddos-botnet","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/11\/new-win-dos-zero-click-vulnerabilities-turns-windows-server-endpoint-domain-controllers-into-ddos-botnet\/","title":{"rendered":"New \u2018Win-DoS\u2019 Zero-Click Vulnerabilities Turns Windows Server\/Endpoint, Domain Controllers Into DDoS Botnet"},"content":{"rendered":"<p>    New \u2018Win-DoS\u2019 Zero-Click Vulnerabilities Turns Windows Server\/Endpoint, Domain Controllers Into DDoS Botnet<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>LAS VEGAS \u2014 At the DEF CON 33 security conference, researchers Yair and Shahak Morag of SafeBreach Labs unveiled a new class of denial-of-service (DoS) attacks, dubbed the \u201cWin-DoS Epidemic.\u201d <\/p>\n<p>The duo presented their findings, which include four new Windows DoS vulnerabilities and one zero-click distributed denial-of-service (DDoS) flaw.<\/p>\n<p>The discovered flaws, all of which are categorized as \u201cuncontrolled resource consumption,\u201d include:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong><a href=\"https:\/\/cybersecuritynews.com\/windows-remote-desktop-gateway-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2025-26673<\/a> (CVSS 7.5):<\/strong>\u00a0A high-severity DoS vulnerability in Windows LDAP.<\/li>\n<li>\n<strong><a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-june-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-32724<\/a> (CVSS 7.5):<\/strong>\u00a0A high-severity DoS vulnerability in Windows LSASS.<\/li>\n<li>\n<strong><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49716\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2025-49716<\/a> (CVSS 7.5):<\/strong>\u00a0A high-severity DoS vulnerability in Windows Netlogon.<\/li>\n<li>\n<strong><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49722\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-49722<\/a> (CVSS 5.7):<\/strong>\u00a0A medium-severity DoS vulnerability in the Windows Print Spooler, which requires an authenticated attacker on an adjacent network.<\/li>\n<\/ul>\n<p>The <a href=\"https:\/\/defcon.org\/html\/defcon-33\/dc-33-speakers.html#content_60389\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">research<\/a> demonstrates how attackers can crash any Windows endpoint or server, including critical Domain Controllers (DCs), and even weaponize public DCs to create a massive DDoS botnet.<\/p>\n<p>\u201cWe present \u201cWin-DoS Epidemic\u201d \u2013 DoS tools exploiting four new Win-DoS and one Win-DDoS zero-click vulns! Crash any Windows endpoint\/server, including DCs, or launch a botnet using public DCs for DDoS. The epidemic has begun\u201d Researchers said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-the-dangers-of-dos-on-domain-controllers\"><strong>The Dangers of DoS on Domain Controllers<\/strong><\/h2>\n<p>Domain Controllers are the backbone of most organizational networks, handling authentication and centralizing user and resource management. <\/p>\n<p>A successful DoS attack against a DC can\u00a0paralyze an entire organization, making it impossible for users to log in, access resources, or perform daily operations.<\/p>\n<p>The researchers\u2019 work builds on their previous discovery, the <a href=\"https:\/\/cybersecuritynews.com\/ldap-exploit-malware-install\/\" target=\"_blank\" rel=\"noreferrer noopener\">LdapNightmare<\/a> vulnerability (CVE-2024-49113), which was the first public DoS exploit for a Windows DC. The new findings expand this threat significantly, moving beyond just LDAP to abuse other core Windows services.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-a-new-botnet-harnessing-public-infrastructure\"><strong>A New Botnet Harnessing Public Infrastructure<\/strong><\/h2>\n<p>The most alarming discovery is a novel DDoS technique, which the researchers have named\u00a0<strong>Win-DDoS<\/strong>. This attack leverages a flaw in the Windows LDAP client\u2019s referral process. <\/p>\n<p>In a normal operation, an LDAP referral directs a client to a different server to fulfill a request. Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, and crucially, they found a way to make the DCs relentlessly repeat this redirection.<\/p>\n<p>This behavior allows an attacker to harness the immense power of\u00a0tens of thousands of public DCs worldwide, turning them into a massive, free, and untraceable DDoS botnet. <\/p>\n<p>The attack requires no special infrastructure and leaves no forensic trail, as the malicious activity originates from the compromised DCs, not the attacker\u2019s machine. <\/p>\n<p>This technique represents a significant shift in DDoS attacks, as it allows for high-bandwidth, high-volume attacks without the typical costs or risks associated with setting up and maintaining a botnet.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-abusing-rpc-for-system-crashes\"><strong>Abusing RPC for System Crashes<\/strong><\/h2>\n<p>In addition to the DDoS botnet, the researchers focused on the Remote Procedure Call (RPC) protocol, which is a fundamental component of Windows for inter-process communication. <\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"youtube-embed\" data-video_id=\"Itqhjh-5XmY\"><iframe loading=\"lazy\" title=\"DDoS demo\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/Itqhjh-5XmY?feature=oembed&amp;enablejsapi=1\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/div>\n<\/figure>\n<p>RPC servers are ubiquitous in the Windows environment and often have wide attack surfaces, especially those that don\u2019t require authentication. <\/p>\n<p>The <a href=\"https:\/\/www.safebreach.com\/blog\/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SafeBreach team found<\/a> that by abusing security gaps in RPC bindings, they could repeatedly hit the same RPC server from a single system, effectively bypassing standard concurrency limits.<\/p>\n<p>This method allowed them to discover three new\u00a0zero-click, unauthenticated DoS vulnerabilities\u00a0that can crash any Windows system\u2014servers and endpoints alike. <\/p>\n<p>They also found another DoS flaw that can be exploited by any authenticated user on the network. <\/p>\n<p>These vulnerabilities break common assumptions that internal systems are safe from abuse without a full compromise, demonstrating that even a minimal presence on a network can be used to cause widespread operational failure.<\/p>\n<p>The researchers have released a set of tools, collectively called\u00a0<strong>\u201cWin-DoS Epidemic,\u201d<\/strong>\u00a0that exploit these five new vulnerabilities. The tools can be used to crash any unpatched Windows endpoint or server remotely, or to orchestrate a Win-DDoS botnet using public DCs. <\/p>\n<p>These findings underscore the critical need for organizations to reassess their threat models and security postures, particularly regarding internal systems and services like DCs. <\/p>\n<p>Microsoft has since released patches for the LdapNightmare vulnerability, but the new discoveries highlight the ongoing need for vigilance and continuous security validation.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong>Find this News Interesting! Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMOffpwsw1Oq_Aw\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>, and\u00a0<a href=\"https:\/\/x.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get Instant Updates!<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/win-dos-zero-click-vulnerabilities-turns-windows-domain-controllers-into-ddos-botnet\/\">New \u2018Win-DoS\u2019 Zero-Click Vulnerabilities Turns Windows Server\/Endpoint, Domain Controllers Into DDoS Botnet<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Balaji N<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/win-dos-zero-click-vulnerabilities-turns-windows-domain-controllers-into-ddos-botnet\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New \u2018Win-DoS\u2019 Zero-Click Vulnerabilities Turns Windows Server\/Endpoint, Domain Controllers Into DDoS Botnet LAS VEGAS \u2014 At the DEF CON 33 security conference, researchers Yair and Shahak Morag of SafeBreach Labs unveiled a new class of denial-of-service (DoS) attacks, dubbed the \u201cWin-DoS Epidemic.\u201d The duo presented their findings, which include four new Windows DoS vulnerabilities and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,1680,63,416,648,395],"tags":[130],"class_list":["post-6043","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news-live","category-cyber-security-news","category-vulnerabilities","category-vulnerability-news","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6043"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6043"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6043\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}