Massive Vulnerabilities Discovered in Windows Domain Controllers

Research from SafeBreach has unveiled alarming vulnerabilities that could empower hackers to hijack Windows Active Directory domain controllers (DCs). Among these, the recently identified CVE-2025-32724 stands out—it can be exploited to force public DCs into participating in crippling distributed denial-of-service (DDoS) attacks.

Introducing Win-DDoS: A Game-Changing Attack Technique

Dubbed "Win-DDoS," this groundbreaking method allows attackers to trick publicly accessible DCs into connecting to a malicious Lightweight Directory Access Protocol (LDAP) server. Through clever LDAP referrals, these compromised servers are directed to flood specific victim machines with overwhelming requests!

Understanding the Risks of Domain Controllers

Domain controllers play a critical role in managing security and authentication in a network. Typically, these are Windows Server machines utilizing Active Directory Domain Services (AD DS). The implications of the vulnerabilities found by SafeBreach are significant.

A Closer Look at the Vulnerabilities

Several vulnerabilities have been discovered: - **CVE-2025-32724**: Allows attackers to consume resources in Windows Local Security Authority Subsystem Service (LSASS), potentially causing Denial of Service from an exposed server or turning it into a DDoS agent. - **CVE-2025-26673 and CVE-2025-49716**: These lead to resource exhaustion in Windows LDAP and Windows Netlogon, respectively, making domain controllers vulnerable. - **CVE-2025-49722**: Can crash DCs and other Windows machines due to uncontrolled resource usage in the Print Spooler Components. The first three vulnerabilities can be exploited remotely without authentication, while the last one requires only limited user access.

New Insights for Enterprises

The findings challenge conventional assumptions about enterprise security, suggesting that risks of DDoS attacks are not limited to publicly exposed services. The researchers emphasized the need for organizations to rethink their defense strategies and resilience against such unforeseen vulnerabilities.

How the Win-DDoS Attack Works

This attack method involves: 1. Sending a specially crafted Remote Procedure Call (RPC) to public DCs to convert them into CLDAP clients. 2. The attacker's CLDAP server responds with an LDAP referral directing the DC to another malicious LDAP/TCP server. 3. The attacker’s server provides a list of numerous LDAP URLs that all lead back to the same target IP and port. As DCs send LDAP queries to these ports, which are often web servers, the unexpected LDAP packets create a cycle of TCP connection closures, leading to repeated attempts until all referrals are exhausted.

What Should Organizations Do?

Microsoft has issued patches for all four vulnerabilities across supported Windows Servers and versions in earlier 2025. With the details now public, companies that haven’t applied these critical updates should act immediately.

Experts Or Yair and Shahak Morag from SafeBreach urge organizations to prepare for potential DDoS attacks on all servers, regardless of their public status. They advocate for robust mitigation measures and the ability to quickly identify attack sources to safeguard organizational assets.