Security researchers have unveiled a troubling zero-click exploit known as WIN-DOS, capable of turning Windows Domain Controllers (DCs) into a powerful botnet for Distributed Denial-of-Service (DDoS) attacks. This revelation comes amid a significant increase in DDoS incidents, which rose by 56% year-over-year in late 2024. Recent examples include Cloudflare's blocking of a flood measuring a staggering 7.3 Tbps in 2025.
The WIN-DOS exploit threatens enterprise infrastructures by abusing Windows' Lightweight Directory Access Protocol (LDAP) client. Using a crafted RPC call, the exploit facilitates endless LDAP referrals that can redirect thousands of DCs to bombard a victim server with TCP traffic. This zero-click vulnerability requires no malware, credentials, or lateral movement, making threat detection challenging.
Technical Insights and Key Vulnerabilities
The researchers at SafeBreach Labs identified multiple Common Vulnerabilities and Exposures (CVEs) that play a role in this exploit:
- CVE-2025-32724: Affects LSASS (LDAP client) by causing memory exhaustion, capable of crashing DCs without any privilege requirements. A patch was released in June 2025.
- CVE-2025-26673: Impacts NetLogon (RPC) with a TorpeDoS memory crash, tackled by a patch in May 2025.
- CVE-2025-49716: Relates to NetLogon's stateless RPC DoS, addressed by a July 2025 patch.
- CVE-2025-49722: Affects the Print Spooler (RPC), potentially crashing any Windows endpoint. This too was patched in July 2025.
Alongside WIN-DOS, SafeBreach demonstrated TorpeDoS, which manipulates RPC to deluge a server with connections from a single machine. These exploits expose weaknesses in systems that rely on open LDAP referral logic and unbounded RPC calls, creating single-packet vulnerabilities across modern Windows environments.
Implications for Enterprises and the Cyber Landscape
Domain Controllers are integral to enterprise identity and access management; taking them offline disrupts logons and business processes. Even internal-only DCs are at risk, overturning the notion that denial-of-service attacks primarily target an organization’s Internet perimeter.
In response, SafeBreach shared these findings with Microsoft in March 2025, prompting security patches in June and July. Microsoft advises administrators to rapidly apply these patches and restrict CLDAP/RPC exposure, particularly for Internet-exposed systems.
The WIN-DOS exploit underscores a shift in attacker strategies towards leveraging legitimate servers for amplification, bypassing traditional defenses that focus on malware detection. A state actor exploiting such vulnerabilities could potentially redirect DCs globally to attack critical infrastructure, complicating efforts to trace and counter these assaults.
Enterprises must reconsider threat models that treat Domain Controllers as merely defensive assets. They should incorporate comprehensive denial-of-service hardening, monitor RPC traffic closely, and enforce rigorous patch management to mitigate the risk of their Windows infrastructure becoming a vast botnet.
