CVE-2022-29128

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running LDAP services by sending specially crafted requests. It affects Windows servers with LDAP enabled, potentially allowing attackers to take full control of affected systems.

💻 Affected Systems

Products:

• Windows Server
• Windows

Versions: Windows Server 2022, 2019, 2016, 2012 R2, 2012, 2008 R2 SP1, 2008 SP2, Windows 10, Windows 11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with LDAP service enabled. Domain controllers are particularly vulnerable as they run LDAP by default.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server by Microsoft

View all CVEs affecting Windows Server →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to domain takeover, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Remote code execution leading to installation of malware, backdoors, or credential theft from compromised domain controllers.

🟢

If Mitigated

Limited impact due to network segmentation, proper patch management, and restricted LDAP access controls.

🌐 Internet-Facing: HIGH if LDAP services are exposed to the internet without proper filtering or authentication.

🏢 Internal Only: HIGH as LDAP is commonly used for internal authentication and directory services in Windows domains.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Microsoft states exploitation requires an attacker to be authenticated to the target system. No public proof-of-concept has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2022 security updates (KB5013952 for Windows 10, KB5013954 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29128

Restart Required: Yes

Instructions:

1. Apply May 2022 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Restrict LDAP access

windows

Limit LDAP access to trusted IP addresses only using firewall rules.

Copy

New-NetFirewallRule -DisplayName "Restrict LDAP" -Direction Inbound -Protocol TCP -LocalPort 389,636 -RemoteAddress 192.168.1.0/24 -Action Allow

Enable LDAP channel binding and signing

windows

Require LDAP signing and channel binding to prevent certain attack vectors.

Copy

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LdapEnforceChannelBinding" -Value 2

🧯 If You Can't Patch

• Implement strict network segmentation to isolate LDAP servers from untrusted networks.
• Enable Windows Defender Exploit Guard and configure attack surface reduction rules.

🔍 How to Verify

Check if Vulnerable:

Copy

Check if May 2022 security updates are installed via 'Get-Hotfix -Id KB5013952, KB5013954' or check Windows Update history.

Check Version:

Copy

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Copy

Verify patch installation and check that LDAP service is running with updated binaries.

📡 Detection & Monitoring

Log Indicators:

• Unusual LDAP query patterns in Windows Security logs (Event ID 2889)
• Failed authentication attempts followed by successful LDAP connections

Network Indicators:

• Unusual LDAP traffic patterns, especially from non-standard sources
• Multiple failed LDAP bind attempts

SIEM Query:

Copy

source="WinEventLog:Security" (EventCode=2889 OR EventCode=4625) | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2022-29128

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: May 10, 2022

Last Updated: January 2, 2025

🔗 References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29128
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29128 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON