Introduction
In December 2024 [1] [6] [9], Microsoft addressed two critical vulnerabilities in Active Directory Domain Controllers [3], identified as CVE-2024-49113 and CVE-2024-49112 [3]. These vulnerabilities pose significant security risks [4], including denial-of-service (DoS) and remote code execution (RCE), which could potentially disrupt enterprise networks and facilitate malicious activities.
Description
Two critical vulnerabilities in Active Directory Domain Controllers have been identified and patched by Microsoft: CVE-2024-49113 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] and CVE-2024-49112. The first vulnerability, CVE-2024-49113, is a denial-of-service (DoS) flaw in the Windows Lightweight Directory Access Protocol (LDAP) client, capable of crashing multiple unpatched Windows servers simultaneously through automated DNS SRV queries that redirect victims to an attacker’s LDAP server. To exploit this vulnerability [9] [10], an attacker must configure specific parameters [2], including the target IP address and the TCP port for RPC communication (default: 49664) [2], as well as a UDP port for the exploit server to listen on (default: 389) [2]. Additionally, the attacker must possess a domain name with two DNS SRV records pointing to their machine’s hostname [2], which are essential for the victim server to locate the attacker’s machine [2]. The exploitation chain for CVE-2024-49113 requires altering the final CLDAP packet to achieve remote code execution (RCE) by invoking the DsrGetDcNameEx2 function via the Netlogon Remote Protocol and sending specially crafted responses to trigger the vulnerability. This vulnerability has a CVSS score of 7.5 and is categorized as “Exploitation Less Likely.”
The second vulnerability, CVE-2024-49112 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], is a critical RCE flaw with a CVSS severity score of 9.8, disclosed by Microsoft during its December 2024 Patch Tuesday update [1]. This vulnerability, titled “Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability,” affects Windows servers [5] [9], particularly Domain Controllers (DCs) [1] [6] [8] [9], which are essential for managing authentication and user privileges in enterprise networks [6]. It arises from an integer overflow in LDAP-related code [1] [6], allowing unauthenticated attackers to exploit it by sending specially crafted RPC calls that trigger malicious queries [1] [6], potentially leading to server crashes or arbitrary code execution within the context of the LDAP service. The implications of this flaw are significant [9], as it could facilitate easier and more effective propagation of attacks across enterprise networks [9].
SafeBreach Labs has developed a zero-click proof-of-concept (PoC) exploit named “LDAPNightmare,” which demonstrates the severity of CVE-2024-49112 by crashing unpatched Windows servers [6]. This exploit targets all versions of Windows Server prior to patching [6], including Windows Server 2019 and 2022 [6], and requires only internet connectivity for the victim’s DNS server [4], making it a severe threat [4]. Successful exploitation could enable attackers to gain control over domain environments [6], making them attractive targets for ransomware and other malicious activities [6]. The PoC tool was published by Security Boulevard on January 2, 2024, and is available on GitHub for organizations to test their server protections [5], underscoring the urgency of addressing this critical flaw [1].
Despite the severity of these vulnerabilities [3], Microsoft has provided limited details regarding the LDAP flaws [3] [7]. However, research confirms that Microsoft’s patch effectively addresses these vulnerabilities [5] [11], preventing crashes on updated servers [11]. Organizations running Windows Servers are urged to apply the December 2024 security updates immediately [3], as many may still be vulnerable [3]. Although there is currently no evidence of exploitation in the wild [3], indications suggest that exploit code has been released [3], implying that threat actors may be preparing to leverage these vulnerabilities [3]. Security experts recommend implementing compensatory controls [3], such as firewalls for LDAP and RPC [3], to mitigate the risk if immediate patching is not feasible [3]. Additionally, organizations should monitor for unusual DNS SRV queries [1], CLDAP referral responses [1] [5] [6], and DsrGetDcNameEx2 calls until patching is complete [6]. SafeBreach provides tools to help enterprises test their server security against these identified vulnerabilities [11], emphasizing the need for robust monitoring to protect critical infrastructure while assessing the risks associated with these vulnerabilities.
Conclusion
The vulnerabilities CVE-2024-49113 and CVE-2024-49112 present significant threats to enterprise networks, with potential impacts including denial-of-service and remote code execution. Immediate application of Microsoft’s December 2024 security updates is crucial to mitigate these risks. Organizations should also consider implementing additional security measures, such as firewalls and monitoring tools, to protect against potential exploitation. As threat actors may attempt to exploit these vulnerabilities, ongoing vigilance and robust security practices are essential to safeguard critical infrastructure.
References
[1] https://cybermaterial.com/exploit-released-for-critical-windows-flaw/
[2] https://github.com/SafeBreach-Labs/CVE-2024-49112
[3] https://siberulak.com/active-directory-kusuru-herhangi-bir-microsoft-sunucusunun-cokmesine-neden-olabilir/
[4] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-january-02-2025
[5] https://securityboulevard.com/2025/01/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/
[6] https://cybersecuritynews.com/poc-windows-ldap-rce-vulnerability/
[7] https://www.darkreading.com/vulnerabilities-threats/active-directory-flaw-can-crash-any-microsoft-server-connected-to-the-internet
[8] https://news.hackreports.com/over-3-million-mail-servers-without-encryption-exposed-to-sniffing-attacks/
[9] https://ciso2ciso.com/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112-source-securityboulevard-com/
[10] https://www.cert.be/fr/advisory/warning-microsoft-patch-tuesday-december-2024-patches-70-vulnerabilities-16-critical-54
[11] https://31wedge.com/ldapnightmare-safebreach-publishes-first-poc-exploit-cve-2024-49113/
