Cybersecurity researchers have raised concerns over a newly uncovered method that can convert thousands of publicly accessible Windows Domain Controllers (DCs) worldwide into an undetectable botnet, potentially enabling massive distributed denial-of-service (DDoS) campaigns without breaching a single device.
SafeBreach researchers Or Yair and Shahak Morag dubbed the method Win-DDoS and revealed it at the DEF CON 33 conference. By exploiting flaws in how the Windows LDAP client handles unlimited referral lists, attackers can direct Domain Controllers to repeatedly query a victim server, overloading it with high-bandwidth LDAP traffic. This approach eliminates the need for traditional botnet infrastructure, leaving a virtually untraceable footprint.
Researchers demonstrated that a single specially crafted Remote Procedure Call (RPC) can cause Windows Domain Controllers to act as connectionless LDAP (CLDAP) clients. This triggers the DCs to connect to an attacker-controlled LDAP server, which provides a referral list containing numerous LDAP URLs, all directing traffic to the victim’s IP address and port. The DCs follow these referrals by repeatedly sending queries, creating a sustained and high-volume flood of traffic until all referrals are processed. This flaw isn’t limited to DDoS flooding; unbounded referral lists can trigger LSASS crashes, system reboots, or blue screens of death by exhausting domain controller resources.
SafeBreach noted that this discovery was part of a broader investigation into “developer blind spots” in Windows, specifically, how client-side code and transport-agnostic server code can be manipulated for denial-of-service attacks. Alongside Win-DDoS, the team identified four new vulnerabilities, three of which can crash DCs without authentication, and one that lets any authenticated domain user bring down Windows endpoints. The flaws, now patched by Microsoft between May and July 2025, include CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, and CVE-2025-49722. Researchers highlight that these are zero-click, unauthenticated vulnerabilities, meaning attackers don’t need stolen credentials to exploit exposed systems over the network
Researchers also unveiled a related single-host flooding method, TorpeDoS, which dramatically amplifies the rate of RPC calls from a single host, allowing one machine to overload servers as effectively as a large botnet. In testing, both techniques demonstrated the ability to disrupt essential authentication services, potentially halting operations in enterprise environments. Experts note this isn’t the first time serious flaws have emerged in Windows domain controller networking. An earlier vulnerability, LDAPNightmare (CVE-2024-49113), was revealed in January 2024, highlighting similar systemic risks.
The suggestions are severe. Industry analysis indicates that successful DDoS attacks against enterprise networks can incur remediation and downtime costs exceeding $1 million per incident. As the core infrastructure of Active Directory, Domain Controllers serve as a single point of failure for numerous organizations, placing these vulnerabilities among the most critical security concerns. These findings overturn assumptions in enterprise threat modeling, showing that DoS risks extend to internal systems as well as public-facing ones, and that minimal internal access may be sufficient to trigger severe disruption. Importantly, these vulnerabilities affect both externally accessible and internal domain controllers if reachable, refuting the assumption that internal-only services are immune to DoS.
In March 2025, SafeBreach disclosed the technical details of the discovery to Microsoft, and this information is now available to system administrators. Experts recommend prioritizing patching immediately and advise organizations to assume that both externally accessible and internal servers are susceptible to exploitation for DDoS attacks. This incident demonstrates that even established and trusted enterprise systems can harbor overlooked vulnerabilities capable of causing widespread disruption.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
