CVE-2025-26673 Overview
CVE-2025-26673 is a denial of service vulnerability affecting the Windows Lightweight Directory Access Protocol (LDAP) implementation. This vulnerability allows an unauthorized attacker to cause service disruption over the network through uncontrolled resource consumption. The flaw enables remote attackers without authentication to exhaust system resources on affected Windows systems, potentially disrupting critical Active Directory services and domain controller operations.
Critical Impact
Unauthenticated attackers can remotely disrupt LDAP services across Windows domain controllers and Active Directory infrastructure, potentially causing enterprise-wide authentication and directory service outages.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- April 8, 2025 - CVE-2025-26673 published to NVD
- July 9, 2025 - Last updated in NVD database
Technical Details for CVE-2025-26673
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), commonly known as a resource exhaustion vulnerability. The flaw resides within the Windows LDAP service, which is fundamental to Active Directory operations including authentication, authorization, and directory lookups.
The vulnerability allows remote attackers to craft malicious LDAP requests that cause the target system to consume excessive resources without proper bounds checking or throttling. Because the attack can be executed without authentication, any network-accessible LDAP service becomes a potential target. Domain controllers are particularly at risk given their central role in enterprise environments.
Root Cause
The root cause lies in improper resource management within the Windows LDAP implementation. The LDAP service fails to adequately limit or control the consumption of system resources when processing certain requests. This allows attackers to trigger conditions where memory, CPU cycles, or other system resources are consumed without appropriate constraints, eventually degrading or crashing the service.
Attack Vector
The attack is executed over the network and requires no authentication or user interaction. An attacker can send specially crafted LDAP requests to TCP port 389 (LDAP) or TCP port 636 (LDAPS) on vulnerable Windows systems. The attack does not require special privileges or prior access to the target environment.
The attack flow typically involves:
- Identifying a network-accessible Windows system running LDAP services
- Sending crafted LDAP requests designed to trigger excessive resource consumption
- Repeating requests to amplify the denial of service effect
- The target system becomes unresponsive or the LDAP service crashes
Due to the nature of this vulnerability, no code examples are provided. For detailed technical information, refer to the Microsoft Security Advisory.
Detection Methods for CVE-2025-26673
Indicators of Compromise
- Unusual spikes in LDAP traffic volume or connection attempts from single or multiple sources
- Abnormally high memory or CPU usage on domain controllers correlated with LDAP service activity
- LDAP service crashes or restarts recorded in Windows Event Logs
- Authentication failures across the domain due to unresponsive directory services
Detection Strategies
- Monitor Windows Event Logs for LDAP-related errors, service terminations, and resource exhaustion warnings
- Implement network intrusion detection rules to identify anomalous LDAP traffic patterns
- Deploy SentinelOne agents to detect behavioral anomalies associated with denial of service attacks
- Configure SIEM rules to correlate high-volume LDAP queries with system performance degradation
Monitoring Recommendations
- Enable verbose logging for Active Directory Domain Services and LDAP operations
- Set up alerting thresholds for domain controller resource utilization metrics
- Monitor network traffic to LDAP ports (389/TCP and 636/TCP) for abnormal request patterns
- Establish baseline metrics for normal LDAP operations to facilitate anomaly detection
How to Mitigate CVE-2025-26673
Immediate Actions Required
- Apply the latest Microsoft security updates for all affected Windows systems immediately
- Restrict network access to LDAP services to trusted IP ranges using firewall rules
- Ensure domain controllers are not directly exposed to untrusted networks or the internet
- Enable network-level protections such as rate limiting on LDAP traffic where possible
Patch Information
Microsoft has released security updates to address this vulnerability. Patches are available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Organizations should prioritize patching domain controllers and systems running critical LDAP services.
For complete patch details and download links, refer to the Microsoft CVE-2025-26673 Advisory.
Workarounds
- Implement network segmentation to isolate LDAP services from untrusted network segments
- Configure firewalls to allow LDAP connections only from known, trusted IP addresses
- Deploy intrusion prevention systems with signatures to detect and block LDAP-based DoS attacks
- Consider enabling LDAP signing and channel binding to add additional security controls
# Example: Windows Firewall rule to restrict LDAP access to trusted subnet
netsh advfirewall firewall add rule name="Restrict LDAP Access" dir=in action=allow protocol=TCP localport=389 remoteip=10.0.0.0/8
netsh advfirewall firewall add rule name="Block External LDAP" dir=in action=block protocol=TCP localport=389 remoteip=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
