LDAP Nightmare — Windows LDAP Client RCE/DoS (CVE-2024-49113)
by SafeBreach Labs (Or Yair, Shahak Morag); CVE reported by Yuki Chen · 2026-05-15
- Severity
- Critical
- CVE
- CVE-2024-49113
- Category
- network
- Affected product
- Microsoft Windows LDAP client / Netlogon interaction path
- Affected versions
- Windows Server systems affected by CVE-2024-49113 (vendor-specific vulnerable builds)
- Disclosed
- 2026-05-15
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-15 |
| Author / Researcher | SafeBreach Labs (Or Yair, Shahak Morag); CVE reported by Yuki Chen |
| CVE / Advisory | CVE-2024-49113 |
| Category | network |
| Severity | Critical |
| CVSS Score | N/A |
| Status | Weaponized |
| Tags | LDAP, NRPC, Windows Server, unauthenticated, DoS, potential-RCE |
Affected Target
| Field | Value |
|---|---|
| Software / System | Microsoft Windows LDAP client / Netlogon interaction path |
| Versions Affected | Windows Server systems affected by CVE-2024-49113 (vendor-specific vulnerable builds) |
| Language / Platform | Python PoC targeting Windows Server environments |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
LDAP Nightmare is a public PoC for CVE-2024-49113, a critical vulnerability in Windows LDAP client behavior that can be reached through Netlogon workflow interactions. The PoC starts a malicious LDAP service and triggers victim-side LDAP resolution via DsrGetDcNameEx2, then returns crafted data intended to trigger vulnerable handling. In observed PoC behavior, successful exploitation can crash the target (lsass/Netlogon path), and Microsoft classifies the issue as capable of remote code execution.
Vulnerability Details
Root Cause
The vulnerable flow involves unsafe processing in the Windows LDAP client path when handling attacker-influenced LDAP referral/response data reached during domain controller discovery logic. By controlling server responses, an attacker can trigger invalid state handling in the victim process.
Attack Vector
An attacker exposes a malicious LDAP server and invokes DsrGetDcNameEx2 against the target over Netlogon RPC so the target queries attacker-controlled LDAP records. Crafted LDAP data in that response path is then used to trigger the vulnerability.
Impact
- Remote crash / denial-of-service of vulnerable Windows Server systems.
- Service instability tied to Netlogon/LSASS processing path.
- Potential remote code execution risk according to vendor advisory/CVE classification.
Environment / Lab Setup
OS: Attacker on Linux/macOS/Windows with Python 3
Target: Vulnerable Windows Server in authorized lab domain environment
Attacker: Host reachable by target over required RPC/LDAP paths
Tools: python3, impacket, responder dependencies from PoC
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
- Prepare attacker DNS domain/SRV records so target LDAP discovery points to the attacker host.
- Start the PoC and its malicious LDAP server listener.
- Trigger
DsrGetDcNameEx2against the vulnerable target using the crafted domain input. - Observe target connection reset/crash behavior indicating the vulnerable path was triggered.
Exploit Code
See
LdapNightmare.py,exploit_server.py, andrpc_call.pyin this folder.
| |
Expected Output
INFO: Waiting for udp server to start...
INFO: Calling DsrGetDcNameEx2 now...
INFO: Successfuly triggered the vulnerability!
Screenshots / Evidence
screenshots/— add authorized lab captures of RPC call, malicious LDAP interaction, and target failure signal.
Detection & Indicators of Compromise
- Unexpected outbound LDAP lookups to untrusted domains/hosts from domain controllers
- Netlogon RPC calls invoking unusual DsrGetDcNameEx2 parameters
- LSASS/Netlogon crashes or restarts correlated with attacker-controlled LDAP responses
SIEM / IDS Rule (example):
Alert on domain controllers performing LDAP SRV resolution and LDAP traffic to
non-approved external domains immediately after NRPC DsrGetDcNameEx2 activity.
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft security updates addressing CVE-2024-49113 on all affected systems |
| Workaround | Restrict outbound LDAP/related lookup paths from critical servers to trusted infrastructure only |
| Config Hardening | Monitor and limit anomalous Netlogon/DC-discovery behavior; segment DC egress where possible |
References
- CVE-2024-49113
- Microsoft Security Update Guide
- SafeBreach Labs Blog — LDAPNightmare
- Source Repository — SafeBreach-Labs/CVE-2024-49113
Notes
Auto-ingested from https://github.com/SafeBreach-Labs/CVE-2024-49113 on 2026-05-15.
| |