Analysis Summary

A newly discovered zero-click vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise systems to a severe denial-of-service (DoS) risk. This flaw specifically targets the UDP-based Trivial File Transfer Protocol (TFTP) service, which operates on port 69, and allows unauthenticated attackers to remotely crash WDS servers without any user interaction. The exploit takes advantage of how the WDS TFTP service handles incoming session requests—creating a CTftpSession object for each request without validating the source, thus allowing attackers to send spoofed UDP packets that quickly overwhelm system memory.

At the core of the issue is a design flaw in the "EndpointSessionMapEntry", which lacks session limits, enabling attackers to forge endless connection requests using randomized IP addresses and ports. Since UDP is a connectionless protocol that doesn’t verify the source of a packet, WDS’s session handler, particularly the "wdstftp!CClientContext::OnConnectionRequest" function, blindly allocates memory for each spoofed session. This opens the door for low-skilled attackers to paralyze network-based OS deployment infrastructure with a simple script.

According to the Security Researcher, they used a Windows Server Insider Preview system with 8GB of RAM and showed that memory usage ballooned to 15GB in under seven minutes using spoofed packets, leading to a full system crash. Although Peng withheld full exploit code to prevent misuse, he confirmed that even basic multithreaded scripting from a Linux machine could execute the attack rapidly. The fact that this vulnerability doesn’t require authentication or valid credentials makes it especially dangerous and difficult to detect with traditional security tools.

Despite the critical nature of the flaw, Microsoft has chosen not to release a patch, leaving organizations with limited options. Currently, the only viable mitigations include replacing WDS with alternative deployment tools or implementing stringent network access controls to filter traffic on port 69. Given WDS’s widespread use in corporate environments, data centers, and academic institutions, this vulnerability poses a substantial threat to IT operations and underscores the need for prompt defensive strategies and long-term architectural reconsiderations.

Impact

• Gain Access
• Denial-of-Service

Remediation

• Use internal firewalls, ACLs, or network segmentation to block unauthorized access to port 69 from untrusted or external sources.
• Configure routers, switches, or intrusion prevention systems (IPS) to detect and drop spoofed or malformed UDP packets targeting the WDS TFTP service.
• Place WDS servers in isolated VLANs or secure zones where only authorized systems (e.g., PXE boot clients) can communicate with them.
• If WDS is not actively being used for deployments, consider disabling the TFTP service to eliminate exposure.
• Implement rate-limiting on UDP port 69 to reduce the impact of traffic floods and slow down potential memory exhaustion attacks.
• Set up alerts for unusual traffic patterns or memory spikes on WDS servers, particularly targeting port 69.
• Evaluate modern and more secure deployment solutions (e.g., Microsoft Endpoint Configuration Manager or third-party PXE services) that offer better protection and control.
• Stay updated on Microsoft advisories and third-party security research in case a patch or official workaround is released.