New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP
New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP — Aug 10, 2025Ravie LakshmananVulnerability / Network Securit
What’s new: Researchers have identified a new attack technique, dubbed Win-DDoS, that exploits vulnerabilities in Windows domain controllers (DCs) to create a botnet for distributed denial-of-service (DDoS) attacks. This method leverages flaws in the Windows LDAP client code, allowing attackers to manipulate referral processes without needing code execution or credentials. The vulnerabilities include CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, and CVE-2025-49722, all of which can lead to significant service denial. These vulnerabilities have been addressed in updates released between May and July 2025.
Who’s affected
Organizations using Windows domain controllers that are publicly accessible are at risk. The vulnerabilities can be exploited remotely, affecting both public and internal systems, challenging existing threat modeling assumptions.
What to do
- Ensure all Windows systems are updated with the latest security patches addressing the identified CVEs.
- Restrict public access to domain controllers where possible.
- Review and enhance network security measures to mitigate potential DDoS attacks.
- Monitor network traffic for unusual patterns that may indicate exploitation attempts.
