At DEF CON 33, SafeBreach Labs researchers Yair and Shahak Morag revealed a chilling new class of Windows shutdown attacks. Dubbed the Win-DoS Epidemic, these zero-click vulnerabilities can crash essential Windows services—and turn Domain Controllers (DCs) into a botnet army for DDoS attacks, without user interaction or credentials Cyber Security NewsThe Hacker NewsHelp Net Security.
Four Vulnerabilities That Spell Disaster
They uncovered four uncontrolled-resource-consumption vulnerabilities:
-
CVE-2025-26673 (CVSS 7.5): LDAP service DoS
-
CVE-2025-32724 (CVSS 7.5): LSASS service DoS
-
CVE-2025-49716 (CVSS 7.5): Netlogon service DoS
-
CVE-2025-49722 (CVSS 5.7): Print Spooler DoS (requires authenticated user on adjacent network)
The first three can be triggered remotely by unauthenticated attackers, making defensive perimeter strategies dangerously inadequate.
Weaponizing Domain Controllers: The Win-DDoS Attack
The real shocker is Win-DDoS, a method that abuses LDAP referral mechanics. Here’s how it works:
-
An attacker sends an RPC command to a public DC, turning it into a CLDAP client.
-
The DC contacts the attacker’s CLDAP server, which replies with LDAP referrals to a victim server.
-
The DC repeatedly sends traffic toward the victim—without stopping—creating a powerful, untraceable DDoS botnet made up of legitimate infrastructure.
This flips our assumptions: trusted enterprise infrastructure becomes the Trojan horse.
Why “Detect and Respond” Isn’t Enough
Traditional “Detect and Respond” strategies rely on spotting anomalies, investigating them, then reacting. But when threats like Win-DoS:
-
Require no interaction
-
Exploit trusted services silently
-
Leverage internal systems as weapons
...these strategies are too slow. By the time detection happens, the attack may already be underway, and the damage done.
A Faster, Smarter Strategy: Isolation & Containment with AppGuard
Instead of chasing threats, AppGuard isolates and contains them before they wreak havoc. With its 10-year proven track record, AppGuard prevents unauthorized code execution—even in trusted processes like RPC, LSASS, or LDAP.
Here’s what AppGuard empowers you to do:
-
Contain zero-click genomic anomalies by blocking abnormal execution flows.
-
Isolate critical systems, like Domain Controllers, from reaching external endpoints without authorization.
-
Stop weaponized behavior in its tracks—app-level isolation ensures that even if a DC is targeted, it cannot become a bot in a Win-DDoS attack.
With AppGuard, you’re not playing catch-up—you’re putting a barrier between your assets and the blind spots attackers exploit.
Conclusion
Win-DoS and Win-DDoS expose a terrifying reality: trusted systems inside your organization can be turned into launchpads for external attacks—with zero clicks and no credentials. Now more than ever, we must go beyond detection. The shift to Isolation and Containment isn’t just strategic—it’s essential. AppGuard offers that containment—trusted, proven, and commercial-ready through CHIPS.
Call to Action
Business leaders: don’t wait for an attack to teach you the hard way. Talk with us at CHIPS to see how AppGuard can shield you from Win-DoS and Win-DDoS threats by embedding isolation and containment into your endpoint defenses. Move beyond “Detect and Respond”—embrace proactive protection that keeps your critical systems safe, silent, and in your control.
Like this article? Please share it with others!
Comments