New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP
What’s new: Researchers have identified a new attack technique, dubbed Win-DDoS, that exploits vulnerabilities in Windows domain controllers (DCs) to create a DDoS botnet. This method allows attackers to manipulate the LDAP referral process, enabling them to leverage thousands of public DCs to overwhelm a target server without requiring code execution or credentials. The vulnerabilities include CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, and CVE-2025-49722, all of which have been fixed in 2025.
Who’s affected
Organizations using Windows domain controllers that are publicly accessible are at risk. The identified vulnerabilities can lead to denial-of-service attacks, impacting both public services and internal systems.
What to do
- Ensure all Windows systems are updated with the latest security patches addressing the identified CVEs.
- Limit the exposure of domain controllers to the public internet where possible.
- Implement network monitoring to detect unusual traffic patterns indicative of DDoS attacks.
- Review and update incident response plans to include scenarios involving DDoS attacks leveraging domain controllers.
