Login Sign Up

CVE-2025-26670

8.1 HIGH
Remote Code Execution

📋 TL;DR

A use-after-free vulnerability in Windows LDAP allows unauthorized attackers to execute arbitrary code remotely over a network. This affects Windows systems running LDAP services, potentially enabling remote code execution without authentication.

💻 Affected Systems

Products:
  • Windows LDAP Service
Versions: Specific Windows versions as listed in Microsoft advisory
Operating Systems: Windows Server, Windows Client versions with LDAP enabled
Default Config Vulnerable: ⚠️ Yes
Notes: Systems with LDAP enabled are vulnerable. Domain controllers and systems using LDAP for authentication/authorization are particularly at risk.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows 11 23h2 by Microsoft

View all CVEs affecting Windows 11 23h2 →

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 23h2 by Microsoft

View all CVEs affecting Windows Server 2022 23h2 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to lateral movement within the network, credential harvesting, and privilege escalation.

🟢

If Mitigated

Limited impact if network segmentation restricts LDAP traffic and systems are patched promptly.

🌐 Internet-Facing: HIGH - LDAP services exposed to the internet can be directly exploited without authentication.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this to move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access to LDAP service. No authentication needed based on CVE description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26670

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft
2. Restart affected systems
3. Verify patch installation via Windows Update history

🔧 Temporary Workarounds

Network Segmentation

all

Restrict LDAP traffic to trusted networks only

Configure firewall rules to block LDAP (TCP 389, 636, 3268, 3269) from untrusted networks

LDAP Signing Enforcement

windows

Require LDAP signing to prevent certain attack vectors

Set registry key: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity to 2

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate LDAP traffic
  • Monitor LDAP services for anomalous activity and implement intrusion detection

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level against Microsoft advisory

Check Version:

wmic os get caption, version, buildnumber, csdversion

Verify Fix Applied:

Verify security update KB number is installed via Windows Update history

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP connection attempts
  • Failed authentication events from unexpected sources
  • Process creation events from lsass.exe or LDAP service

Network Indicators:

  • Unusual LDAP traffic patterns
  • LDAP requests from unexpected IP addresses
  • Multiple failed LDAP binds

SIEM Query:

source="windows" AND (event_id=4625 OR event_id=4771) AND process_name="lsass.exe" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-26670
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.49% exploit probability (65.1th percentile)
Published: April 8, 2025
Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26670, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)