Login Sign Up

CVE-2022-30143

7.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running LDAP services. Attackers can exploit this by sending specially crafted requests to vulnerable LDAP servers. All Windows systems with LDAP enabled are potentially affected.

💻 Affected Systems

Products:
  • Windows Server
  • Windows Client
Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Systems with LDAP role enabled or applications using Windows LDAP libraries are vulnerable. Domain controllers are particularly at risk.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 11 by Microsoft

View all CVEs affecting Windows 11 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to domain takeover, data exfiltration, and lateral movement across the network.

🟠

Likely Case

Unauthorized code execution on LDAP servers, potentially leading to credential theft, privilege escalation, and persistence mechanisms.

🟢

If Mitigated

Limited impact due to network segmentation, proper patch management, and restricted LDAP access.

🌐 Internet-Facing: HIGH if LDAP is exposed to the internet without proper filtering or authentication.
🏢 Internal Only: HIGH as LDAP is commonly used for authentication and directory services in enterprise environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to LDAP ports (389/636).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2022 security updates (KB5013952 for Windows 10, KB5013954 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30143

Restart Required: Yes

Instructions:

1. Apply May 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Block LDAP ports at network perimeter

windows

Prevent external access to LDAP services

netsh advfirewall firewall add rule name="Block LDAP" dir=in action=block protocol=TCP localport=389,636

Restrict LDAP access via firewall

windows

Limit LDAP connections to trusted IP addresses only

netsh advfirewall firewall add rule name="Allow LDAP Trusted" dir=in action=allow protocol=TCP localport=389,636 remoteip=192.168.1.0/24

🧯 If You Can't Patch

  • Implement network segmentation to isolate LDAP servers from untrusted networks
  • Enable LDAP signing and channel binding to add authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check if system has May 2022 security updates installed via 'systeminfo' command or Windows Update history.

Check Version:

wmic qfe list brief | findstr KB5013952

Verify Fix Applied:

Verify KB5013952 (or equivalent for your OS version) is installed and system has been restarted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP connection attempts
  • Failed authentication events followed by successful connections
  • Process creation from lsass.exe or other system processes

Network Indicators:

  • Unusual LDAP traffic patterns
  • Connection attempts to LDAP ports from unexpected sources
  • Large or malformed LDAP packets

SIEM Query:

source="*" (event_id=4625 OR event_id=4624) AND process_name="lsass.exe" AND destination_port=389

📊 Metadata

CVE ID: CVE-2022-30143
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 15, 2022
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON