SafeBreach researchers have uncovered a novel method, Win-DDoS, enabling attackers to exploit public domain controllers as agents for distributed denial-of-service (DDoS) attacks. This technique leverages multiple vulnerabilities within Windows Active Directory domain controllers (DCs), successfully turning them into unwilling participants in overwhelming targeted servers with malicious traffic.
Win-DDoS exploits domain controllers for DDoS attacks
Understanding the Vulnerabilities
The vulnerabilities, including CVE-2025-32724, represent significant security risks where attackers can essentially hijack the server's resources without requiring credentials. These flaws allow unauthorized users to remotely crash publicly accessible systems and manipulate internal infrastructure. SafeBreach found four vulnerabilities, with CVE-2025-32724 identified as a zero-click threat that can be leveraged for DDoS.
Other vulnerabilities cover uncontrolled resource consumption within Windows LDAP and Windows Netlogon, such as CVE-2025-26673 and CVE-2025-49716, which allow similar denial-of-service attacks. Additionally, CVE-2025-49722 affects Print Spooler components, crashing domain controllers and related systems.
The Attack Mechanism
Win-DDoS operates through a sophisticated series of interactions. Attackers send specially crafted RPC calls to accessible DCs, causing them to function as CLDAP clients. These clients are directed to an attacker's CLDAP server, which subsequently issues an LDAP referral to another malicious server. This server delivers an extensive list of LDAP URLs, all resolving to the victim's IP and port.
This series of LDAP queries, initiated by the DCs upon these referrals, generates what can be described as 'volumetric' traffic that significantly impacts the victim server. Many services close down non-HTTP LDAP packets; however, domain controllers continue to send queries as instructed by the attacker's referrals.
Mitigations and Recommendations
The researchers from SafeBreach, namely Or Yair and Shahak Morag, strongly advise organizations to immediately install patches released by Microsoft for Windows Server and Active Directory. These updates, issued in the months of April, June, and July 2025, are crucial for mitigating the risks posed by these vulnerabilities.
Furthermore, SafeBreach suggests companies assume that all servers and endpoints are potential targets for DDoS attacks, irrespective of whether they face publicly or are strictly internal. They recommend deploying effective detection and defense mechanisms, along with rapid identification strategies for attack sources to strengthen defensive postures against Win-DDoS threats.
