Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2024-49112

Disclosure Date: December 12, 2024
CVE-2024-49112
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated

Description

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Common in enterpriseGives privileged accessVulnerable in default configuration
Technical Analysis

CVE-2024-49112 is a critical vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service. It is classified as a remote code execution (RCE) flaw with a CVSS score of 9.8, making it a significant threat. Exploitation could allow attackers to execute arbitrary code on vulnerable systems, potentially leading to full system compromise.

This vulnerability is caused by an integer overflow within the LDAP service. Attackers can exploit the flaw by sending specially crafted Remote Procedure Call (RPC) requests to the target server. Successful exploitation enables arbitrary code execution in the context of the LDAP service, which often runs with elevated privileges. The flaw can be exploited remotely without authentication, making it particularly dangerous for internet-facing systems.

Looking at the image that was posted on X by @Madmodsec (https://x.com/MacmodSec/status/1867450280956018819/photo/1) it looks like the vulnerability in the unpatched wldap32.dll stems from insufficient validation of the referral index (v26), potentially leading to out-of-bounds reads or writes during referral handling. The patched version mitigates this by introducing a boundary check (EvaluateCurrentState), ensuring that the referral index (v164) falls within a valid range before further processing. Additionally, the patched code improves error logging by providing specific details when a referral index exceeds the allowable range. These changes enhance the safety of the code by preventing unsafe memory access and improving diagnostics for better traceability.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1809 10.0.17763.6659
Windows Server 2019 10.0.17763.6659
Windows Server 2019 (Server Core installation) 10.0.17763.6659
Windows Server 2022 10.0.20348.2966
Windows 10 Version 21H2 10.0.19044.5247
Windows 11 version 22H2 10.0.22621.4602
Windows 10 Version 22H2 10.0.19045.5247
Windows Server 2025 (Server Core installation) 10.0.26100.2605
Windows 11 version 22H3 10.0.22631.4602
Windows 11 Version 23H2 10.0.22631.4602
Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.1308
Windows 11 Version 24H2 10.0.26100.2605
Windows Server 2025 10.0.26100.2605
Windows 10 Version 1507 10.0.10240.20857
Windows 10 Version 1607 10.0.14393.7606
Windows Server 2016 10.0.14393.7606
Windows Server 2016 (Server Core installation) 10.0.14393.7606
Windows Server 2008 Service Pack 2 6.0.6003.23016
Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.23016
Windows Server 2008 Service Pack 2 6.0.6003.23016
Windows Server 2008 R2 Service Pack 1 6.1.7601.27467
Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.27467
Windows Server 2012 6.2.9200.25222
Windows Server 2012 (Server Core installation) 6.2.9200.25222
Windows Server 2012 R2 6.3.9600.22318
Windows Server 2012 R2 (Server Core installation) 6.3.9600.22318
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1507,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 21h2,
  • windows 10 22h2,
  • windows 11 22h2,
  • windows 11 24h2,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019,
  • windows server 2022,
  • windows server 2022 23h2,
  • windows server 2025

References

Canonical
CVE-2024-49112 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49112)
Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
poc_monitor (https://github.com/tnkr/poc_monitor) (Added by AKB Worker)
CVE-2024-49112-PoC (https://github.com/b0l1o/CVE-2024-49112-PoC) (Added by AKB Worker)
CVE-2024-49112 (https://github.com/SafeBreach-Labs/CVE-2024-49112) (Added by AKB Worker)
CVE-2024-49112-PoC (https://github.com/bo0l3an/CVE-2024-49112-PoC) (Added by AKB Worker)
Miscellaneous
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis