A critical unauthenticated denial-of-service (DoS) vulnerability in Windows Deployment Services (WDS) allows attackers to crash systems remotely by exploiting UDP-based memory exhaustion.
This 0-click attack, requiring no user interaction or authentication, highlights systemic risks in understudied UDP service vulnerabilities.
Background
Windows Deployment Services (WDS) is a Microsoft server role enabling network-based OS deployments via Preboot Execution Environment (PXE) boot, TFTP file transfers, and automated setups.
Widely used in enterprises, WDS streamlines large-scale Windows installations but now faces a severe security threat.
Researchers discovered that its UDP-based TFTP service (port 69) lacks session limits, enabling attackers to exhaust memory by spoofing forged IPs and ports.
Technical Details
The vulnerability stems from how WDS handles UDP packets. Each connection request triggers the creation of an CTftpSession object, stored indefinitely in an unbounded EndpointSessionMapEntry.
Attackers exploit this by flooding the service with spoofed packets, each appearing from unique IP-port combinations:
cppstatus = CClientContext::FindSession(...);
if (status) { // Session not found
// Create new CTftpSession and add to EndpointSessionMapEntry
} else {
CTftpSession::AdditionalConnectionRequest(...);
}
With no session cleanup or memory limits, continuous malicious requests overwhelm the system.
In tests, a Windows Server with 8GB of RAM crashed after memory usage spiked to 15GB within 7 minutes.
Multithreaded attacks could accelerate this process.
Impact and Exploitation
The attack pseudocode below demonstrates simplicity:
pythondef fake_send(dst_ip, dst_port):
for i in range(0x4000000, 0xFFFFFFFF):
src_ip = int_to_ip(i)
for port in range(0x4000, 0xE000):
udp_send(src_ip, port, dst_ip, dst_port, malicious_data)
By iterating through randomized source IPs and ports, attackers force WDS to allocate excessive sessions.
Enterprises relying on WDS for PXE deployments risk complete network paralysis, disrupting OS rollouts and IT operations.
Timeline and Response
- Feb 08, 2025: Vulnerability reported to Microsoft (Case #94963).
- Mar 04, 2025: Microsoft confirmed the bug.
- Mar 08, 2025: Microsoft revised its bounty program, excluding preauth DoS.
- Apr 23, 2025: Microsoft deemed the issue “moderate,” declining a patch.
- May 02, 2025: Researcher published findings after no resolution.
Microsoft’s decision not to patch leaves organizations vulnerable.
SafeBreach Labs’ recent LDAP-related PoC exploit (CVE-2024-49113) underscores broader risks in unpatched protocols, but WDS remains uniquely exposed due to its UDP design.
Recommendations
To mitigate risks:
- Disable WDS if unused.
- Monitor UDP/69 traffic for abnormal spikes.
- Adopt alternatives like Microsoft Endpoint Configuration Manager or third-party deployment tools.
This vulnerability underscores the fragility of UDP-based services and the urgent need for proactive memory management in critical infrastructure.
Until Microsoft addresses the flaw, enterprises must weigh the operational benefits of WDS against its existential risks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This 0-click attack, requiring no user interaction or authentication, highlights systemic risks in understudied UDP service vulnerabilities.){kind=link}