Unauthenticated DoS Vulnerability Crashes Windows Deployment Services, No Patch - #CVE-2025-2905
A critical denial-of-service vulnerability has been discovered in Windows Deployment Services (WDS), allowing remote attackers to crash enterprise networks by exploiting a flaw in the TFTP service. The vulnerability, which stems from unlimited allocation of CTftpSession objects, can be triggered by sending spoofed UDP packets to port 69, potentially causing a complete system crash within minutes. Despite being reported to Microsoft in February 2025, the company has declined to patch the issue, citing that it does not meet their security service criteria. This decision has been met with criticism from security researchers, who emphasize the zero-click nature of the attack and its potential impact on organizations using PXE-based deployment infrastructure. In the absence of an official fix, experts recommend avoiding WDS altogether to mitigate the risk posed by this vulnerability.