In 2024, vulnerability exploitation accounted for 14% of breach entry points, marking a nearly threefold increase from the previous year—a trend that could persist into 2025. At the turn of January 2025, defenders released the first PoC exploit that can crash unpatched Windows Servers by leveraging a critical RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) tracked as CVE-2024-49112.
Detect CVE-2024-49112 Exploitation Attempts
Proactive vulnerability detection is expected to remain one of the top cybersecurity priorities in 2025. Security practitioners are increasingly seeking reliable sources of relevant detection content to identify potential threats in real time. The SOC Prime Platform addresses this need by providing the industry’s first CTI-enriched detection rule feed for both emerging and existing threats. Backed by a comprehensive product suite, the platform supports advanced threat detection, AI-powered detection engineering, and automated threat hunting.
Rely on SOC Prime Platform to identify CVE-2024-49112 exploitation attempts. Hit the Explore Detections button below and immediately drill down to a curated set of Sigma rules mapped to MITRE ATT&CK and compatible with 30+ SIEM, EDR, and Data Lake solutions. All the rules are enriched with extensive threat intel, including attack timelines, triage recommendations, and other relevant metadata.
CVE-2024-49112 Analysis
In December 2024, Microsoft unveiled an RCE vulnerability affecting domain controllers, identified as CVE-2024-49112. The flaw received a CVSS score of 9.8 out of 10. However, despite its critical nature, no public exploit or detailed explanation of the vulnerability has been instantly shared. At the turn of 2025, SafeBreach Labs researchers published the first zero-click PoC exploit for this critical RCE vulnerability in Windows LDAP. The exploit can crash unpatched Windows Servers not limited to domain controllers requiring only that the victim’s DNS server has Internet access, with no additional prerequisites.
The infection chain starts with sending a DCE/RPC request to the victim server, which further initiates a DNS SRV query for SafeBreachLabs.pro. The attacker’s DNS server replies with its own hostname and LDAP port. The targeted server then broadcasts an NBNS request to resolve the attacker’s hostname to an IP address. Adversaries respond to the NBNS request with their IP address. As a result, the impacted server, now acting as an LDAP client, sends a CLDAP request to the attacker’s machine. Finally, adversaries respond with a crafted CLDAP referral packet, causing LSASS on the targeted server to crash the system and force a reboot.
In December 2024, Microsoft provided the CVE-2024-49112 context, mentioning that unauthenticated attackers weaponizing this security issue could execute arbitrary code within the LDAP service. For domain controllers, exploitation requires sending crafted RPC calls to trigger a lookup of the attacker’s domain. For LDAP client applications, the attacker must trick the victim into performing a domain controller lookup or connecting to a malicious LDAP server. researchers added that Unauthenticated RPC calls would not succeed in either case.
Based on Microsoft’s security update, the SafeBreach Labs team also concluded that for CVE-2024-49112 exploitation, hackers do not need authentication since the vulnerability is an integer overflow in an executable or DLL handling LDAP client logic. By exploiting certain RPC calls, threat actors can make a domain controller query a malicious LDAP server. Moreover, defenders discovered an interesting observation that Microsoft’s patch for the vulnerability might be located in wldap32.dll.
Even though SafeBreach Labs primarily tested on Windows Server 2022 (DC) and Windows Server 2019 (non-DC), they believe the exploit method and PoC are applicable to all Windows Server versions. As potential CVE-2024-49112 mitigation measures, organizations are prompted to apply the Microsoft patch, which effectively prevents exploitation and server crashes. Defenders also recommend monitoring for suspicious CLDAP referral responses, DsrGetDcNameEx2 calls, and DNS SRV queries until the patch is implemented. SOC Prime Platform for collective cyber defense enables security teams to outscale cyber threats of any scale and sophistication, including CVEs in popular software products that most organizations rely on while helping them to risk-optimize the security posture.
The post CVE-2024-49112 Detection: Zero-Click PoC Exploit for a Critical LDAP RCE Vulnerability Can Crush Unpatched Windows Servers appeared first on SOC Prime.
