NAVANEM
CVE-2024-49113

Windows LDAP, denial of service (LDAPNightmare)

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability.

Overview

CVE-2024-49113, dubbed "LDAPNightmare," is a high-severity denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) implementation. The vulnerability exists in wldap32.dll and allows a network attacker to crash the Local Security Authority Subsystem Service (LSASS) on Windows Domain Controllers, forcing an automatic reboot. SafeBreach Labs released a working proof-of-concept exploit (ldapnightmare.exe) in January 2025, making exploitation trivial for attackers with network access to LDAP services.

Technical Details

The vulnerability stems from improper handling of malformed LDAP referral responses in the Windows LDAP client library (wldap32.dll). When a Domain Controller processes a specially crafted LDAP referral, an out-of-bounds read condition occurs. This memory access violation causes LSASS to crash. Since LSASS is a critical system process responsible for authentication and security policy enforcement, its unexpected termination triggers an automatic system reboot on the affected Domain Controller.

The attack can be executed over standard LDAP ports:

  • TCP port 389 (LDAP)
  • TCP port 636 (LDAPS)

The attack requires no authentication and can be repeated continuously to keep Domain Controllers offline indefinitely.

Impact

The impact of this vulnerability is severe for enterprise environments:

  • Service Disruption: Domain Controllers are central to Active Directory authentication. When a DC goes offline, authentication services fail across the entire forest until the system reboots.
  • Repeated Exploitation: Attackers can continuously trigger the vulnerability, preventing DCs from recovering and maintaining a persistent denial-of-service condition.
  • Business Continuity: While recovery is automatic upon reboot, the outage window causes significant business impact as users cannot authenticate to network resources.
  • Low Barrier to Entry: The public proof-of-concept makes this vulnerability accessible to low-skilled attackers and DDoS-as-a-service operators.

No confirmed in-the-wild exploitation has been reported, but the availability of working exploit code makes opportunistic attacks highly likely against unpatched environments.

Mitigation

  1. Apply Patches: Install the December 2024 cumulative update on all Domain Controllers immediately.
  2. Network Segmentation: Ensure Domain Controllers do not accept LDAP traffic from untrusted networks. Audit firewall rules at DC subnet boundaries.
  3. Restrict LDAP Exposure: Block external access to TCP ports 389 and 636 on Domain Controllers.

Detection

  1. Monitor LSASS Crashes: Configure monitoring for unexpected LSASS termination events on Domain Controllers.
  2. Network Monitoring: Alert on unusual LDAP traffic patterns, particularly from untrusted network segments.
  3. Event Log Analysis: Review Windows Event Logs for system crash events correlated with LDAP activity.