CRITICALCVSS9.8

|CVE-2022-22012|Auth: none|Reboot: required|Manual only

KB5014011: Windows Server 2012 R2 Security Update (May 2022)

A crafted LDAP request can give an attacker code execution on a domain controller — but only if the MaxReceiveBuffer LDAP policy has been raised above its default.

Published May 10, 2022 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach LDAP on a domain controller where MaxReceiveBuffer has been raised — typically for compatibility with applications that generate very large queries — can send a crafted request and execute code on the DC. Default-configured domain controllers are not vulnerable, but environments that tuned the policy for an application are. From SYSTEM on a DC the attacker has access to the AD database and every domain credential.

How the attack works

LDAP (Lightweight Directory Access Protocol) is the protocol every domain controller uses to publish AD data. The LDAP server in Windows accepts requests up to a size set by the MaxReceiveBuffer policy. When MaxReceiveBuffer is raised above its default, a flaw in how the server handles oversized requests lets an attacker corrupt memory and execute code in the LSASS / Active Directory context.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers running as domain controllers where MaxReceiveBuffer LDAP policy is non-default

Affected OS versions

Windows Server 2012 R2

Real-world incidentsWhat we've seen

An enterprise raised MaxReceiveBuffer years ago to accommodate a CRM application that generates huge directory queries. Nobody remembers the change is in place. An attacker on the internal network — perhaps having phished a workstation — discovers the non-default LDAP policy and uses the crafted request to execute code on the DC. From SYSTEM on a DC, the forest is owned.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5014011

Manual remediation steps

Check the MaxReceiveBuffer policy first

If MaxReceiveBuffer is at its default, this CVE is not exploitable on this DC:

# Run on a domain controller, requires AD admin rights
ntdsutil "ldap policies" "connections" "connect to server <DC-name>" q "show values" q q
# Look for MaxReceiveBuffer. Default = 10485760 (10 MB). Larger values = vulnerable.

Patch regardless — this is defensive depth.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5014011 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5014011

Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5014011
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5014011 /quiet /norestart

Notes

This entry covers Windows Server 2012 R2 specifically (KB5014011). Other Windows Server versions have their own KB for CVE-2022-22012.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22012 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-22012.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-22012 ↗ MSRC Advisory ↗ NVD ↗ KBKB5014011