Emerging Threat: Windows LDAP CVE-2024-49113

What is CVE-2024-49113? 

CVE-2024-49113, also known as LDAPNightmare, is a high severity (CVSS score of 7.5) unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP). This vulnerability allows attackers to crash any unpatched Windows server with an internet-accessible DNS server by overwhelming a critical internal component of the operating system.  

Both CVE-2024-49113 and its relative, the critical RCE vulnerability CVE-2024-49112, were publicized in December 2024. Although both were serious vulnerabilities, they initially were not accompanied by a public PoC or any evidence of exploitation in the wild. That changed when researchers at SafeBreach released a public PoC on January 1st, 2025. 

What assets are affected by CVE-2024-49113? 

The following assets are affected by CVE-2024-49113: 

• Windows 10 Version 1809, Windows Server 2019, Windows Server 2019 (Server Core installation): from 10.0.17763.0 before 10.0.17763.6659
• Windows Server 2022: from 10.0.20348.0 before 10.0.20348.2966
• Windows 10 Version 21H2: from 10.0.19043.0 before 10.0.19044.5247
• Windows 11 version 22H2: from 10.0.22621.0 before 10.0.22621.4602
• Windows 10 Version 22H2: from 10.0.19045.0 before 10.0.19045.5247
• Windows 11 Version 24H2, Windows Server 2025, Windows Server 2025 (Server Core installation): from 10.0.26100.0 before 10.0.26100.2605
• Windows 11 Version 23H2, Windows 11 version 22H3: from 10.0.22631.0 before 10.0.22631.4602
• Windows Server 2022, 23H2 Edition (Server Core installation): from 10.0.25398.0 before 10.0.25398.1308
• Windows 10 Version 1507: from 10.0.10240.0 before 10.0.10240.20857
• Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation): from 10.0.14393.0 before 10.0.14393.7606
• Windows Server 2008 Service Pack 2, Windows Server 2008 Service Pack 2 (Server Core installation): from 6.0.6003.0 before 6.0.6003.23016
• Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation): from 6.1.7601.0 before 6.1.7601.27467
• Windows Server 2012, Windows Server 2012 (Server Core installation): from 6.2.9200.0 before 6.2.9200.25222
• Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation): from 6.3.9600.0 before 6.3.9600.22318

Are fixes available? 

Microsoft recommends implementing a patch to all affected devices. This patch’s efficacy has been verified by independent testing. 

Are there any other recommended actions to take? 

Because patching devices like Windows servers is delicate and time-consuming, to mitigate risk while preparing and deploying patches, security teams can implement detections to monitor suspicious CLDAP referral responses (with the specific malicious value set), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries.

Is CVE-2024-49113 being actively exploited? 

As of January 6th, 2025, there are no reports of attackers actively exploiting this vulnerability, although that is expected to change now that there is a public PoC.      

How is CyCognito helping customers identify assets vulnerable to CVE-2024-49113? 

CyCognito is investigating methods to actively detect this vulnerability.  In the meantime, customers can check for potentially vulnerable assets using custom filters provided by CyCognito.  

Figure 1: The alert sent by CyCognito for CVE-2024-49113

How can CyCognito help your organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.