A newly released proof-of-concept (PoC) exploit dubbed "LDAPNightmare" demonstrates how attackers can crash Windows domain controllers by exploiting a recently patched vulnerability in the Lightweight Directory Access Protocol (LDAP).
The security flaw, tracked as CVE-2024-49113, allows attackers to trigger denial-of-service conditions on unpatched Windows Server systems by sending specially crafted CLDAP referral response packets. When successfully exploited, the attack crashes the Local Security Authority Subsystem Service (LSASS) and forces a system reboot.
According to SafeBreach Labs, which developed the PoC, the only requirement for a successful attack is that the target domain controller's DNS server has Internet connectivity. The exploit works by sending a DCE/RPC request that triggers the vulnerability.
The same exploit chain could potentially enable remote code execution through a related vulnerability (CVE-2024-49112) by modifying the CLDAP packet structure. Both security flaws were discovered and reported by security researcher Yuki Chen.
Microsoft released patches for these vulnerabilities in December 2024. Organizations are strongly advised to apply the security updates immediately. For environments where immediate patching isn't feasible, security teams should monitor for:
- Suspicious CLDAP referral responses
- Unusual DsrGetDcNameEx2 calls
- Suspicious DNS SRV queries
The vulnerabilities affect the core infrastructure of Windows networks, making them particularly dangerous for enterprise environments. Unpatched systems remain at risk of both denial-of-service attacks and potential remote code execution.