The ability to execute these attacks without authentication poses a significant risk to both public and private infrastructure, necessitating a reevaluation of existing defense strategies.

These vulnerabilities challenge traditional enterprise threat modeling assumptions, indicating that internal systems are also at risk from such attacks.

Among the vulnerabilities identified are CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, and CVE-2025-49722, which involve uncontrolled resource consumption and have been addressed through patches released by Microsoft.

Microsoft has issued patches for these vulnerabilities in April, June, and July 2025, urging organizations to implement these updates immediately to mitigate potential attacks.

The key vulnerability, CVE-2025-32724, allows attackers to force public domain controllers to connect to a malicious Lightweight Directory Access Protocol (LDAP) server, directing them to overwhelm a specific target server with requests.

This technique allows attackers to utilize thousands of public DCs without the need to purchase infrastructure or execute code, making the attack stealthy and resource-efficient.

Researchers Or Yair and Shahak Morag from SafeBreach have unveiled a new attack technique called Win-DDoS, which exploits vulnerabilities in public domain controllers (DCs) to create a malicious botnet for distributed denial-of-service (DDoS) attacks.

This technique takes advantage of identified vulnerabilities in Windows Active Directory domain controllers, allowing attackers to launch DDoS attacks without requiring authentication.

Additional vulnerabilities enable similar denial-of-service attacks by consuming resources in Windows LDAP and Netlogon, which can crash domain controllers and other Windows machines.

The Win-DDoS attack mechanism involves sending crafted RPC calls to domain controllers, turning them into clients of the attacker's server, which then directs them to repeatedly send LDAP queries to a victim server.

SafeBreach's researchers emphasize the importance of organizations preparing for DDoS threats against all servers, public or private, and implementing defensive measures along with rapid identification of attack sources.

The findings were presented at the DEF CON 33 security conference on August 10, 2025, highlighting a flaw in the Windows LDAP client code that enables attackers to manipulate URL referrals to overwhelm a victim server.