CVE-2025-21376: CVE-2025-21376: Remote Code Execution in Windows LDAP Implementation via Race Condition Weakness Chain

CVE-2025-21376: Remote Code Execution in Windows LDAP Implementation via Race Condition Weakness Chain

Vulnerability ID: CVE-2025-21376
CVSS Score: 8.1
Published: 2025-02-11

CVE-2025-21376 is a high-severity unauthenticated remote code execution (RCE) vulnerability in the Microsoft Windows Lightweight Directory Access Protocol (LDAP) service. The vulnerability relies on a complex weakness chain consisting of a race condition (CWE-362), which triggers an integer underflow (CWE-191), ultimately resulting in a heap-based buffer overflow (CWE-122).

TL;DR

Unauthenticated RCE in Windows LDAP requiring a Machine-in-the-Middle (MITM) position. A race condition triggers an integer underflow, leading to a heap buffer overflow. Patched in February 2025 updates.

---

Technical Details

• CWE ID: CWE-362, CWE-191, CWE-122
• Attack Vector: Network (MITM Required)
• CVSS v3.1 Score: 8.1 (High)
• EPSS Score: 0.01445 (1.44%)
• Impact: Remote Code Execution
• Exploit Status: None (No PoC)
• CISA KEV: No

Affected Systems

• Windows 10 (Versions 1507, 1607, 1809, 21H2, 22H2)
• Windows 11 (Versions 22H2, 23H2, 24H2)
• Windows Server 2008 (SP2, R2 SP1)
• Windows Server 2012 (Gold, R2)
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022 (Gold, 23H2)
• Windows Server 2025
• Windows 10: < 10.0.10240.20915 (1507 base) (Fixed in: 10.0.10240.20915)
• Windows 11: < 10.0.26100.3194 (24H2 base) (Fixed in: 10.0.26100.3194)
• Windows Server 2025: < 10.0.26100.3194 (Fixed in: 10.0.26100.3194)

Mitigation Strategies

• Apply February 2025 Cumulative Updates to all affected Windows hosts.
• Enforce LDAP Signing and LDAP over SSL/TLS (LDAPS) to prevent MITM attacks.
• Implement network segmentation to restrict LDAP access (port 389/636) to authorized infrastructure.
• Deploy IPS/IDS signatures (e.g., Fortinet ID 57249) to detect exploitation attempts.

Remediation Steps:

1. Identify all Windows Server and Client instances within the environment.
2. Verify the current OS build numbers against the February 2025 update catalog.
3. Deploy the relevant LCU (Latest Cumulative Update) via WSUS, SCCM, or Windows Update.
4. Verify successful installation by checking the updated build number (e.g., 10.0.26100.3194 for Server 2025).
5. Audit Active Directory configuration to ensure 'LDAP server signing requirements' policy is set to 'Require signing'.

References

• MSRC Advisory CVE-2025-21376
• CVE.org Record CVE-2025-21376
• Zero Day Initiative (ZDI) Analysis
• NVD Detail CVE-2025-21376
• Fortiguard IPS Encyclopedia ID 57249
• CrowdStrike Patch Tuesday Blog

---

Read the full report for CVE-2025-21376 on our website for more details including interactive diagrams and full exploit analysis.