“Wormable” Vulnerability in Windows LDAP Allows Attackers to Execute Code Remotely

Recently, cybersecurity specialists have discovered a critical vulnerability in the implementation of the Lightweight Directory Access Protocol (LDAP) in Windows operating systems. This vulnerability, designated as CVE-2025-21376, enables attackers to execute arbitrary code remotely. The most dangerous aspect of this vulnerability is its “wormable” nature, meaning it can automatically propagate across networks without user interaction.

This vulnerability was officially disclosed by Microsoft on February 11, 2025, and is classified as Remote Code Execution (RCE). This means that an attacker can exploit it without requiring any user interaction or elevated privileges.

The vulnerability stems from multiple security weaknesses, including:

✅ CWE-362 – Race Condition: Errors in process synchronization may lead to system instability and security flaws.

✅ CWE-191 – Integer Underflow: Incorrect handling of numerical values may allow attackers to trigger unintended behaviors.

✅ CWE-122 – Heap-Based Buffer Overflow: Memory buffer overflow may result in arbitrary code execution.

An attacker can exploit this vulnerability by sending a specially crafted request to a vulnerable LDAP server. If the attack is successful, a buffer overflow occurs, potentially allowing remote code execution.

According to the Common Vulnerability Scoring System (CVSS), this vulnerability has received a base score of 8.1 (critical) and a temporal score of 7.1.

Microsoft specialists have assessed that this attack has the following characteristics:

📌 Attack Vector – Network (AV:N – Attack Vector: Network).
📌 Attack Complexity – High (AC:H – Attack Complexity: High).
📌 No Privileges Required (PR:N – Privileges Required: None).
📌 No User Interaction Needed (UI:N – User Interaction: None).
📌 Significant Impact on System Security:
➡️ Confidentiality is compromised (Confidentiality: High).
➡️ System integrity is at risk (Integrity: High).
➡️ System availability is severely affected (Availability: High).

At present, there is no publicly available exploit for this vulnerability. However, experts indicate that the likelihood of exploitation is high due to its wormable nature, allowing it to spread automatically within networks without human intervention.

If exploited, this vulnerability could spread rapidly within an organization’s infrastructure, potentially causing severe disruption and security breaches. Therefore, immediate action is necessary to mitigate the risk.

Microsoft has addressed this vulnerability in the February 2025 Patch Tuesday security updates. The following Windows versions are affected:

🔹 Windows Server 2019
🔹 Windows 10 Version 1809

To protect against this threat, users are advised to take the following actions:

✅ Immediately install the latest security updates. Microsoft has already released patches to fix this vulnerability.

✅ Monitor and audit LDAP servers. Regularly analyze system logs and network traffic to detect suspicious activities.

✅ Restrict or disable unnecessary network services. If LDAP is used only within internal networks, restrict access from external sources.

✅ Follow the principle of least privilege. Grant users and services only the permissions necessary for their functions.

The CVE-2025-21376 vulnerability in Windows LDAP poses a serious security risk. It could allow attackers to remotely execute arbitrary code, take control of systems, and spread automatically across networks.

Therefore, all organizations and users must apply Microsoft’s security patches without delay. Cybercriminals actively exploit such vulnerabilities, making regular system updates and enhanced security measures crucial.

🔹 Cybersecurity requires vigilance and rapid response. Do not leave your systems vulnerable!