LDAPNightmare: PoC Exploit Targets Windows LDAP Flaw CVE-2024-49113

January 3, 2025

The vulnerability CVE-2024-49113, also known as LDAPNightmare, is a Windows Lightweight Directory Access Protocol (LDAP) Denial of Service flaw that was identified by Yuki Chen. This vulnerability, which has a CVSS score of 7.5, can be exploited to cause a denial of service condition. Yuki Chen disclosed two critical LDAP vulnerabilities, CVE-2024-49112 (CVSS 9.8) and CVE-2024-49113, on December 10, 2024, as part of Microsoft’s Patch Tuesday update.

SafeBreach Labs has created a proof of concept exploit for CVE-2024-49113 that can crash any unpatched Windows Server, not just Domain Controllers, provided the DNS server of the victim Domain Controller is connected to the internet. According to their report, the attack involves an attacker manipulating a victim server to send DNS and LDAP requests, resulting in a crafted LDAP response that crashes the LSASS process and reboots the server.

The researchers suggest that the same attack could potentially allow a remote attacker to execute arbitrary code on vulnerable servers by altering the CLDAP packet. SafeBreach concluded, 'This research set out to explore whether the LDAP CVE-2024-49113 vulnerability could be exploited. Our research proved that not only can it be exploited against Domain Controllers, it also affects any unpatched Windows Server.' They also believe that this will likely lead to the exploitation of CVE-2024-49112 in the near future, and therefore advise patching both vulnerabilities.

Organizations are encouraged to apply Microsoft’s patch to mitigate the vulnerability. Given the criticality of patching domain controllers and Windows Servers, organizations are advised to proceed with caution. Until the patch is applied, it is recommended to implement detections for suspicious CLDAP referral responses, DsrGetDcNameEx2 calls, and DNS SRV queries. The report provides a detailed technical analysis of CVE-2024-49113.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.