Background

On December 11th as part of their monthly patch release cycle, Microsoft has disclosed details of a critical Remote Code Execution (RCE) vulnerability that affects the Windows Lightweight Directory Access Protocol (LDAP), a widely used cross-platform protocol for directory services authentication. The vulnerability is tracked as CVE-2024-49112, and has a CVSS score of 9.8.

An unauthenticated attacker who successfully exploits this vulnerability could execute arbitrary code within the context of the LDAP service by sending a specially crafted set of LDAP requests. Exploitation of CVE-2024-49112 can also be combined with two other vulnerabilities disclosed by Microsoft on December 11th - CVE-2024-49124 and CVE-2024-49127 - amplifying the risk. If successfully chained, an attacker could gain the ability to execute arbitrary code on Domain Controllers under the context of the LDAP service with SYSTEM privileges, potentially compromising critical network infrastructure.

Threat Intelligence assessment

The vulnerability presents a high risk to organisations due to its ease of exploitation and the potential for arbitrary code execution. The risk is somewhat mitigated by limited external exposure of the vulnerable components.

We have yet to confirm any publicly available Proof-of-Concept (PoC) code or in-the-wild exploitation. While the absence of known exploits at present lowers the immediate risk, the low attack complexity and high potential impact make this vulnerability a significant concern moving forward.

Due to the reported ease of exploitation, mnemonic assess that active exploitation must be expected within a short to medium timeframe. Given the critical role of Domain Controllers and the LDAP service in many enterprise environments, adversaries are likely to prioritise exploiting this vulnerability, especially if it can be chained with other vulnerabilities such as CVE-2024-49124 and CVE-2024-49127.

Code execution resulting from the exploitation of CVE-2024-49112 occurs within the context of the LDAP service, which is elevated, but does not have full SYSTEM privileges. While this provides a level of restriction, the potential for chaining this vulnerability with other flaws such as CVE-2024-49124 and CVE-2024-49127 significantly increases the risk. If these vulnerabilities are exploited together, an attacker could escalate their privileges further, potentially gaining SYSTEM-level access.

Affected systems

• Windows 10 Version 1507
• Windows 10 Version 1607
• Windows 10 Version 1809
• Windows 10 Version 21H2
• Windows 10 Version 22H2
• Windows 11 version 22H2
• Windows 11 version 22H3
• Windows 11 Version 23H2
• Windows 11 Version 24H2
• Windows Server 2008 Service Pack 2 (incl. Server Core installation)
• Windows Server 2008 R2 Service Pack 1 (incl. Server Core installation)
• Windows Server 2012 (incl. Server Core installation)
• Windows Server 2012 R2 (incl. Server Core installation)
• Windows Server 2016 (incl. Server Core installation)
• Windows Server 2019 (incl. Server Core installation)
• Windows Server 2022 (incl. Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025 (incl. Server Core installation)

Recommendations

Organisations should immediately apply the patches released as part of Microsoft’s monthly patch cycle to mitigate this risk. Given the critical nature of Domain Controllers and the potential for lateral movement within an organisation's network, it is essential to address this vulnerability as soon as possible.

Microsoft recommended workarounds:

• Ensure that domain controllers are configured to not access the Internet (note: this is likely not feasible for most organisations)
• Ensure that domain controllers are configured to not allow inbound RPC from untrusted networks