Win-DoS Epidemic: Exploiting Windows LDAP & RPC for Massive DoS/DDoS

In 2025, coordinated research by SafeBreach Labs and Microsoft revealed multiple denial-of-service (DoS) vulnerabilities in core Windows services – LDAP, Netlogon, LSASS, and Print Spooler. Collectively, these flaws enable both targeted and large-scale disruption of enterprise environments, including Win-DDoS and TorpeDoS attack techniques that weaponize Windows Domain Controllers (DCs) without deploying malware.

Severity Level: High

Vulnerability Details

1. CVE-2025-26673 – Windows LDAP DoS
   Uncontrolled resource consumption in the LDAP service allows unauthenticated remote attackers to cause service disruption over the network. By sending crafted LDAP requests, attackers can trigger excessive memory use, resulting in DC crashes. CVSS 7.5 (High). Exploitation is less likely but requires no privileges and no user interaction.
   
2. CVE-2025-32724 – LSASS DoS
   A flaw in LSASS allows remote unauthenticated attackers to cause service crashes via specially crafted requests. This impacts authentication and authorization operations across Windows environments. CVSS 7.5 (High). Exploitation is considered unlikely but possible over the network.
   
3. CVE-2025-49716 – Netlogon DoS
   The Netlogon service fails to enforce resource usage limits, allowing attackers to send repeated crafted requests that exhaust memory and crash the service. This is network-exploitable without authentication. CVSS 7.5 (High). Exploitation is considered unlikely but feasible for determined actors.
   
4. CVE-2025-49722 – Print Spooler DoS
   Uncontrolled resource consumption in the Windows Print Spooler can be triggered by authenticated attackers on the same network segment. This can halt printing services and potentially impact dependent workflows. CVSS 5.7 (Important). Attack requires low privileges and adjacency.

Exploitation Of The Vulnerabilities

• Win-DDoS – Attackers exploit LDAP referral handling to direct thousands of public DCs to flood a victim, bypassing duplicate IP checks using DNS tricks.
• TorpeDoS – Stages mass RPC bindings without requests, then floods all connections at once to exhaust memory.
• Targeted DoS – Individual CVEs allow for repeated crafted requests (e.g., Netlogon calls with large EntryCounts, LSASS referral overflows) to crash services and force reboots.
• Adjacent Network Abuse – Print Spooler flaw allows insiders or nearby attackers to halt printing and potentially impact broader workflows.

Affected Products

• Internet-facing and internal Windows Domain Controllers
• Windows Server: 2008 through 2025 editions, including Core installations
• Windows Client: Windows 10, 11 (various builds and architectures)
• Systems with Print Spooler enabled in multi-tenant or adjacent network environments
• Components: LDAP service, LSASS, Netlogon, Print Spooler

Recommendations

1. Apply Microsoft security updates for all affected CVEs.
2. Restrict LDAP (389/TCP, 3268/TCP, 389/UDP) and Netlogon (RPC port 135 + dynamic ports) access to trusted networks.
3. Disable Print Spooler service on systems that do not require it.
4. Monitor for abnormal Netlogon call patterns, large LDAP referral lists, or spikes in LSASS memory usage.

Source:

• https://www.safebreach.com/blog/win-dos-epidemic-abusing-rpc-for-dos-and-ddos/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26673
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32724
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49716
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49722

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.