Windows LDAP Integer Overflow — Pre-Auth RCE Against Domain Controllers (CVE-2024-49112)

A network attacker with no credentials can crash a domain controller with the public PoC and, by extension of the same primitive, execute arbitrary code in the LSASS context. Code execution on a domain controller is effectively complete domain compromise — the attacker can extract every credential in the domain, modify directory data, and persist indefinitely. The DC-side attack does not require any user interaction.

An integer overflow in the Windows LDAP client's response parser can be triggered when a domain controller (or any LDAP client) processes a crafted referral or response. On a domain controller, an attacker can drive this via an unauthenticated RPC call that causes the DC to issue an outbound LDAP query to an attacker-controlled host, which then returns the malicious response. On non-DC clients, the attacker needs to lure the client into connecting to an attacker-controlled domain. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2025 prior to the December 2024 Patch Tuesday.

Probably yes if any of these apply:

SafeBreach published a full proof-of-concept under the name "LDAPNightmare" in January 2025 demonstrating reliable LSASS crash on unpatched domain controllers, with a credible path to RCE. Microsoft's pre-patch defence-in-depth guidance is to (a) block domain controllers from initiating outbound internet connections and (b) restrict inbound RPC from untrusted networks — Microsoft explicitly noted these in combination provide effective mitigation. Domain controllers are the highest-value target in any Windows environment; CVE-2024-49112 is correspondingly among the most urgent patches of the December 2024 cycle.