Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-29954

CVE-2025-29954: Windows 10 1507 LDAP DoS Vulnerability

CVE-2025-29954 is a denial of service flaw in Windows 10 1507 LDAP that enables unauthorized attackers to consume system resources and disrupt service availability. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-29954 Overview

CVE-2025-29954 is an uncontrolled resource consumption vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service. An unauthenticated remote attacker can send crafted LDAP traffic to exhaust resources on the target system, resulting in denial of service. The flaw affects a broad range of Windows client and server operating systems, including domain controllers where LDAP is a core directory service. Microsoft published the advisory on May 13, 2025, and the issue is tracked under [CWE-400] and [CWE-770]. No authentication or user interaction is required to trigger the condition.

Critical Impact

A successful attack renders the Windows LDAP service unavailable, disrupting authentication, directory queries, and any application that depends on Active Directory over LDAP.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 22H2, 23H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and Server 2022 23H2

Discovery Timeline

  • 2025-05-13 - CVE-2025-29954 published to NVD
  • 2025-05-13 - Microsoft releases security advisory and patch guidance
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-29954

Vulnerability Analysis

The vulnerability resides in how the Windows LDAP service allocates and manages resources when processing inbound protocol messages. Because the service does not enforce sufficient limits on the resources consumed per request or per connection, an attacker can drive resource usage until the service becomes unresponsive. The weakness is classified as uncontrolled resource consumption [CWE-400] and allocation of resources without limits or throttling [CWE-770].

The attack targets availability only. Confidentiality and integrity of directory data are not affected. However, LDAP outages on a domain controller cascade into authentication failures, Group Policy application errors, and downstream application disruption. The attack complexity is elevated because the attacker must produce specific conditions to reliably exhaust resources, but no privileges or user interaction are required.

Root Cause

The root cause is missing enforcement of upper bounds on resources consumed while parsing or servicing LDAP protocol operations. Without throttling, a stream of specially crafted requests forces the LDAP server process to allocate memory, threads, or handles beyond sustainable limits.

Attack Vector

An attacker with network access to TCP port 389 (LDAP) or 636 (LDAPS) sends crafted requests to the target Windows host. Domain controllers exposed to untrusted network segments are the highest-value targets. Microsoft has not published exploitation prerequisites publicly beyond the advisory. See the Microsoft CVE-2025-29954 Advisory for vendor guidance.

No public proof-of-concept code is available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-29954

Indicators of Compromise

  • Sudden spikes in memory, handle, or thread consumption by the lsass.exe process on domain controllers
  • LDAP client timeouts, bind failures, or event log entries indicating LDAP service unavailability
  • Elevated inbound traffic volume to TCP ports 389 or 636 from a small set of source addresses

Detection Strategies

  • Monitor Windows performance counters for the LDAP service, focusing on active connections, search operations per second, and process working set
  • Correlate Directory Services event log entries (events 1216, 2887, 2889) with network telemetry to identify unusual LDAP request patterns
  • Alert on repeated LDAP binds or searches originating from unauthenticated sources over short intervals

Monitoring Recommendations

  • Baseline normal LDAP query volume per client and alert on statistical deviation
  • Enable LDAP diagnostic logging (Diagnostics\16 LDAP Interface Events) at level 2 or higher during triage
  • Forward Windows Security and Directory Services logs to a centralized SIEM for cross-host correlation

How to Mitigate CVE-2025-29954

Immediate Actions Required

  • Apply the Microsoft security update for CVE-2025-29954 to all affected Windows client and server systems, prioritizing domain controllers
  • Restrict inbound access to TCP ports 389 and 636 so only trusted management networks and application servers can reach domain controllers
  • Review perimeter firewall and cloud security group rules to confirm LDAP is not exposed to the public internet

Patch Information

Microsoft has released fixes through the standard Windows Update channel. Refer to the Microsoft CVE-2025-29954 Advisory for the specific KB articles matching each Windows build. Install the corresponding cumulative update on every affected system and reboot to complete deployment.

Workarounds

  • Segment domain controllers behind internal firewalls that limit LDAP access to authorized subnets
  • Enforce LDAP channel binding and LDAP signing to reduce the pool of clients that can initiate connections
  • Configure rate limiting or connection quotas at network devices in front of LDAP servers where feasible
bash
# Example: restrict inbound LDAP to a management subnet using Windows Firewall
New-NetFirewallRule -DisplayName "Restrict LDAP 389" -Direction Inbound `
  -Protocol TCP -LocalPort 389 -RemoteAddress 10.10.0.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block LDAP 389 Other" -Direction Inbound `
  -Protocol TCP -LocalPort 389 -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.