06-05-2025
Windows Memory Exhaustion Network Crash Warning — No Microsoft Fix
Beware this Windows Deployment Services memory exhaustion attack. getty
Microsoft is no stranger to vulnerabilities; heck, there were 684 Windows Server security flaws confirmed in 2024 alone. This is, in fact, a positive thing as it's far better to know about a vulnerability than only discover it once it has been exploited. Which is why Microsoft has paid hackers $60 million in bug bounties for such responsible disclosures. But what if I were to tell you that one security researcher has found a vulnerability that enables a remote attacker to crash your enterprise network at will, and Microsoft isn't interested in paying them diddly squat, or fixing the problem for that matter. Welcome to the worrying world of the Windows Deployment Services memory exhaustion attack technique. Forbes Confirmed — 19 Billion Compromised Passwords Published Online By Davey Winder
You can read any number of reports and warnings about remote code execution vulnerabilities and exploits against Windows networks. The security research community might be said to be fascinated by them. And for good reason: The ability to execute arbitrary code remotely leaves your network, and ultimately the operation of your organization, vulnerable to ransomware attacks, cyber-espionage, and more.
Writing in a detailed technical blog posting, Peng warns of the dangers presented by a denial-of-service attack exploiting a vulnerability pattern in User Datagram Protocol remote services that are employing Windows Deployment associate professor demonstrated how an attacker can crash your Windows enterprise network without any authentication or user interaction by deploying a remote Denial of Service attack in WDS.
'WDS is critical for IT administrators managing corporate networks, data centers, or educational institutions requiring streamlined, secure OS deployments,' Peng said, explaining that an attacker can easily forge client IP addresses and port numbers, to create new sessions until all system resources are exhausted. Forbes Google Issues New Windows Password Security Alert By Davey Winder
The full technical methodology is in Peng's report, but just know that this easy-to-exploit vulnerability enables an attacker to disrupt a network rapidly and effectively as it literally collapses from memory exhaustion.
You might think that Microsoft would be all over this, but that doesn't appear to be the case. Peng disclosed the vulnerability to Microsoft Feb. 8. and it was confirmed March 4. Come April 23, Microsoft told Peng that the vulnerability is 'moderate' and doesn't meet the bar for security action, including bounty payments. The same day, Peng responded to urge Microsoft to react as it was 'an important DoS bug without authentication (preach) or user interaction (0-click)' but as nothing more was heard, decided to publish the blog.
Peng recommends that users abandon Windows Deployment Services as 'there is currently no good way to mitigate this issue unless Microsoft takes responsibility and releases a patch.'
I have reached out to Microsoft for a statement. Forbes Government Security Warning Issued As Password And 2FA Hackers Strike By Davey Winder
