Windows LDAP Integer Overflow — Pre-Auth RCE Against Domain Controllers (CVE-2024-49112)
An integer overflow in the Windows LDAP client allows a remote attacker to execute arbitrary code on a domain controller via a crafted RPC call that triggers a domain lookup. SafeBreach published a working PoC in January 2025 ("LDAPNightmare"). Apply the December 2024 cumulative update on every domain controller immediately.
A network attacker with no credentials can crash a domain controller with the public PoC and, by extension of the same primitive, execute arbitrary code in the LSASS context. Code execution on a domain controller is effectively complete domain compromise — the attacker can extract every credential in the domain, modify directory data, and persist indefinitely. The DC-side attack does not require any user interaction.
An integer overflow in the Windows LDAP client's response parser can be triggered when a domain controller (or any LDAP client) processes a crafted referral or response. On a domain controller, an attacker can drive this via an unauthenticated RPC call that causes the DC to issue an outbound LDAP query to an attacker-controlled host, which then returns the malicious response. On non-DC clients, the attacker needs to lure the client into connecting to an attacker-controlled domain. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2025 prior to the December 2024 Patch Tuesday.
Probably yes if any of these apply:
Affected OS versions
SafeBreach published a full proof-of-concept under the name "LDAPNightmare" in January 2025 demonstrating reliable LSASS crash on unpatched domain controllers, with a credible path to RCE. Microsoft's pre-patch defence-in-depth guidance is to (a) block domain controllers from initiating outbound internet connections and (b) restrict inbound RPC from untrusted networks — Microsoft explicitly noted these in combination provide effective mitigation. Domain controllers are the highest-value target in any Windows environment; CVE-2024-49112 is correspondingly among the most urgent patches of the December 2024 cycle.
Manual remediation steps
⏱ 60–120 minutes per DC including rebootInventory domain controllers
# List every DC in the forest:
Get-ADDomainController -Filter * | Select-Object HostName, OperatingSystem, OperatingSystemVersion
Defence-in-depth (apply on every DC even after patching)
# 1. Block domain controllers from initiating outbound internet connections.
# Configure on the network firewall — DCs should never originate outbound
# traffic to the public internet.
#
# 2. Restrict inbound RPC to the DC from untrusted networks:
New-NetFirewallRule -DisplayName "Block inbound RPC from untrusted" `
-Direction Inbound -Action Block -Protocol TCP -LocalPort 135 `
-RemoteAddress <untrusted-subnets>
Apply the December 2024 cumulative update
CVE-2024-49112 to find the current superseding cumulative for your OSVerify
# Confirm the LDAP client binary is patched:
(Get-Item C:\Windows\System32\wldap32.dll).VersionInfo.FileVersion
# Server 2022 fixed in build 10.0.20348.2966 or later
# Server 2019 fixed in the corresponding December 2024 cumulative
Per-OS KB reference
Per-Windows-Server-version KB mapping for this vulnerability. Each KB is the cumulative update that contains the fix for the listed OS version. Apply the KB for the OS you are running.
| Windows Server version | Cumulative update | Microsoft Update Catalog | |---|---|---| | Windows Server 2012 R2 | KB5048735 | https://catalog.update.microsoft.com/Search.aspx?q=KB5048735 | | Windows Server 2016 | KB5048671 | https://catalog.update.microsoft.com/Search.aspx?q=KB5048671 | | Windows Server 2019 | KB5048661 | https://catalog.update.microsoft.com/Search.aspx?q=KB5048661 | | Windows Server 2022 | KB5048654 | https://catalog.update.microsoft.com/Search.aspx?q=KB5048654 | | Windows Server 2025 | KB5048667 | https://catalog.update.microsoft.com/Search.aspx?q=KB5048667 |
This per-OS KB table was added 2026-05-21 from MSRC ingestion data. Verify each KB against the live MSRC advisory for your environment.
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References