{"id":1366,"date":"2025-01-08T08:45:00","date_gmt":"2025-01-08T16:45:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=1366"},"modified":"2025-01-08T08:37:56","modified_gmt":"2025-01-08T16:37:56","slug":"emerging-threat-windows-ldap-cve-2024-49113","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/","title":{"rendered":"Emerging Threat: Windows LDAP CVE-2024-49113"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">What is CVE-2024-49113?&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-49113\">CVE-2024-49113<\/a>, also known as LDAPNightmare, is a high severity (CVSS score of 7.5) unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP). This vulnerability allows attackers to crash any unpatched Windows server with an internet-accessible DNS server by overwhelming a critical internal component of the operating system.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Both CVE-2024-49113 and its relative, the critical RCE vulnerability CVE-2024-49112, were publicized in December 2024. Although both were serious vulnerabilities, they initially were not accompanied by a public PoC or any evidence of exploitation in the wild. That changed when researchers at <a href=\"https:\/\/www.safebreach.com\/blog\/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113\/\">SafeBreach<\/a> released a public PoC on January 1st, 2025.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What assets are affected by CVE-2024-49113?&nbsp;<\/h2>\n\n\n\n<p>The following assets are affected by CVE-2024-49113:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows 10 Version 1809, Windows Server 2019, Windows Server 2019 (Server Core installation): from 10.0.17763.0 before 10.0.17763.6659<\/li>\n\n\n\n<li>Windows Server 2022: from 10.0.20348.0 before 10.0.20348.2966<\/li>\n\n\n\n<li>Windows 10 Version 21H2: from 10.0.19043.0 before 10.0.19044.5247<\/li>\n\n\n\n<li>Windows 11 version 22H2: from 10.0.22621.0 before 10.0.22621.4602<\/li>\n\n\n\n<li>Windows 10 Version 22H2: from 10.0.19045.0 before 10.0.19045.5247<\/li>\n\n\n\n<li>Windows 11 Version 24H2, Windows Server 2025, Windows Server 2025 (Server Core installation): from 10.0.26100.0 before 10.0.26100.2605<\/li>\n\n\n\n<li>Windows 11 Version 23H2, Windows 11 version 22H3: from 10.0.22631.0 before 10.0.22631.4602<\/li>\n\n\n\n<li>Windows Server 2022, 23H2 Edition (Server Core installation): from 10.0.25398.0 before 10.0.25398.1308<\/li>\n\n\n\n<li>Windows 10 Version 1507: from 10.0.10240.0 before 10.0.10240.20857<\/li>\n\n\n\n<li>Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation): from 10.0.14393.0 before 10.0.14393.7606<\/li>\n\n\n\n<li>Windows Server 2008 Service Pack 2, Windows Server 2008 Service Pack 2 (Server Core installation): from 6.0.6003.0 before 6.0.6003.23016<\/li>\n\n\n\n<li>Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation): from 6.1.7601.0 before 6.1.7601.27467<\/li>\n\n\n\n<li>Windows Server 2012, Windows Server 2012 (Server Core installation): from 6.2.9200.0 before 6.2.9200.25222<\/li>\n\n\n\n<li>Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation): from 6.3.9600.0 before 6.3.9600.22318<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Are fixes available?&nbsp;<\/h2>\n\n\n\n<p>Microsoft <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-49113\">recommends<\/a> implementing a patch to all affected devices. This patch\u2019s efficacy has been verified by independent testing.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Are there any other recommended actions to take?&nbsp;<\/h2>\n\n\n\n<p>Because patching devices like Windows servers is delicate and time-consuming, to mitigate risk while preparing and deploying patches, security teams can implement detections to monitor suspicious CLDAP referral responses (with the specific malicious value set), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Is CVE-2024-49113 being actively exploited?&nbsp;<\/h2>\n\n\n\n<p>As of January 6th, 2025, there are no reports of attackers actively exploiting this vulnerability, although that is expected to change now that there is a public PoC.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How is CyCognito helping customers identify assets vulnerable to CVE-2024-49113?&nbsp;<\/h2>\n\n\n\n<p>CyCognito is investigating methods to actively detect this vulnerability.&nbsp; In the meantime, customers can check for potentially vulnerable assets using custom filters provided by CyCognito.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"752\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Screenshot-2025-01-08-at-10.25.25\u202fAM-1280x752.webp\" alt=\"\" class=\"wp-image-1368\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Screenshot-2025-01-08-at-10.25.25\u202fAM-1280x752.webp 1280w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Screenshot-2025-01-08-at-10.25.25\u202fAM-512x301.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Screenshot-2025-01-08-at-10.25.25\u202fAM-768x451.webp 768w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Screenshot-2025-01-08-at-10.25.25\u202fAM-1536x903.webp 1536w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Screenshot-2025-01-08-at-10.25.25\u202fAM.webp 1940w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n\n\n\n<p class=\"caption\">Figure 1: The alert sent by CyCognito for CVE-2024-49113<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How can CyCognito help your organization?&nbsp;<\/h2>\n\n\n\n<p>CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive <a href=\"https:\/\/app.getreprise.com\/launch\/V6Waa5X\">dashboard product tour<\/a>. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our <a href=\"https:\/\/www.cycognito.com\/contact\/\">Contact Us page<\/a> to schedule a demo.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP). This vulnerability allows attackers to crash any unpatched Windows server with an internet-accessible DNS server by overwhelming a critical internal component of the operating system. Patching is recommended and vulnerable devices should be monitored for potential exploitation attempts. <\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[58,217,190,57,218],"class_list":["post-1366","post","type-post","status-publish","format-standard","hentry","category-research","tag-cve","tag-ldap","tag-unauthenticated-access","tag-vulnerability","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Emerging Threat: Windows LDAP CVE-2024-49113 | CyCognito Blog<\/title>\n<meta name=\"description\" content=\"CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Emerging Threat: Windows LDAP CVE-2024-49113\" \/>\n<meta property=\"og:description\" content=\"CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-08T16:45:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2025-01-08-2400x1256-email.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2400\" \/>\n\t<meta property=\"og:image:height\" content=\"1256\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Emma Zaballos\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Emma Zaballos\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\"},\"author\":{\"name\":\"Emma Zaballos\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58\"},\"headline\":\"Emerging Threat: Windows LDAP CVE-2024-49113\",\"datePublished\":\"2025-01-08T16:45:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\"},\"wordCount\":529,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"keywords\":[\"CVE\",\"LDAP\",\"Unauthenticated Access\",\"Vulnerability\",\"Windows\"],\"articleSection\":[\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\",\"name\":\"Emerging Threat: Windows LDAP CVE-2024-49113 | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"datePublished\":\"2025-01-08T16:45:00+00:00\",\"description\":\"CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Emerging Threat: Windows LDAP CVE-2024-49113\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58\",\"name\":\"Emma Zaballos\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g\",\"caption\":\"Emma Zaballos\"},\"description\":\"Product Marketing Manager\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/emma-zaballos\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Emerging Threat: Windows LDAP CVE-2024-49113 | CyCognito Blog","description":"CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/","og_locale":"en_US","og_type":"article","og_title":"Emerging Threat: Windows LDAP CVE-2024-49113","og_description":"CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).","og_url":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/","og_site_name":"CyCognito Blog","article_published_time":"2025-01-08T16:45:00+00:00","og_image":[{"width":2400,"height":1256,"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2025-01-08-2400x1256-email.png","type":"image\/png"}],"author":"Emma Zaballos","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Emma Zaballos","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/"},"author":{"name":"Emma Zaballos","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58"},"headline":"Emerging Threat: Windows LDAP CVE-2024-49113","datePublished":"2025-01-08T16:45:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/"},"wordCount":529,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"keywords":["CVE","LDAP","Unauthenticated Access","Vulnerability","Windows"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/","url":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/","name":"Emerging Threat: Windows LDAP CVE-2024-49113 | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"datePublished":"2025-01-08T16:45:00+00:00","description":"CVE-2024-49113 is a high severity unauthenticated Denial of Service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/emerging-threat-windows-ldap-cve-2024-49113\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Emerging Threat: Windows LDAP CVE-2024-49113"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58","name":"Emma Zaballos","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g","caption":"Emma Zaballos"},"description":"Product Marketing Manager","url":"https:\/\/www.cycognito.com\/blog\/author\/emma-zaballos\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=1366"}],"version-history":[{"count":1,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1366\/revisions"}],"predecessor-version":[{"id":1369,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1366\/revisions\/1369"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=1366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=1366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=1366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}