Greater than 20 years after its preliminary discovery, the NTLM authentication protocol continues to plague Home windows methods worldwide.
What began in 2001 as a theoretical vulnerability has advanced right into a widespread safety disaster, with attackers actively weaponizing a number of NTLM flaws to compromise networks throughout totally different areas.
The New Know-how LAN Supervisor (NTLM) protocol was designed to authenticate shoppers and servers in Home windows environments utilizing a three-step handshake.
Though Microsoft has introduced plans to retire NTLM solely, starting with Home windows 11 24H2 and Home windows Server 2025, the protocol stays embedded in thousands and thousands of methods.
This persistence creates an open window for cybercriminals who proceed to find and exploit new vulnerabilities in NTLM’s outdated mechanisms.
A number of Assault Vectors Below Energetic Exploitation
NTLM flaws allow a number of harmful assault methods. Hash leakage happens when attackers craft malicious recordsdata that trick Home windows into sending authentication hashes with out requiring person interplay.
CVE IDSeverityAffected SystemsImpactKnown CampaignsCVE-2024-43451HighWindows (A number of Variations)Hash Leakage, Credential CompromiseBlindEagle (Remcos RAT), Head MareCVE-2025-24054/CVE-2025-24071HighWindows 11, Home windows ServerHash Leakage, Unauthorized AccessTrojan Distribution in Russia (AveMaria/Warzone)CVE-2025-33073HighWindows (SMB Shopper)Privilege Escalation to SYSTEM LevelUzbekistan Monetary Sector Assault
Coercion-based assaults drive methods to authenticate to attacker-controlled companies.
As soon as credentials are compromised, attackers use credential-forwarding methods comparable to Cross-the-Hash to maneuver laterally throughout networks and escalate privileges with out understanding the precise passwords.
Man-in-the-middle assaults stay significantly efficient, with NTLM relay remaining probably the most impactful methodology for 20 years. Attackers place themselves between shoppers and servers to intercept authentication visitors and seize credentials.
Safety researchers have recognized a number of essential NTLM vulnerabilities which can be at present being actively exploited in 2024 and 2025.
CVE-2024-43451 permits NTLMv2 hash leakage via malicious .url recordsdata. Merely interacting with these recordsdata clicking, right-clicking, or transferring them routinely connects to attacker servers operating WebDAV.
The BlindEagle APT group exploited this vulnerability to distribute the Remcos RAT to Colombian targets. On the similar time, the Head Mare hacktivists exploited it in opposition to Russian and Belarusian organizations.
CVE-2025-24054 and CVE-2025-24071 goal .library-ms recordsdata inside ZIP archives, inflicting computerized NTLM authentication to attacker-controlled servers. Researchers detected campaigns in Russia distributing the AveMaria Trojan utilizing this methodology.
CVE-2025-33073 represents a hazardous reflection assault. Attackers manipulate DNS information to trick Home windows into treating exterior authentication requests as native, bypassing common safety checks and granting SYSTEM-level privileges.
In keeping with SecureList, suspicious exercise exploiting this vulnerability was detected in Uzbekistan’s monetary sector.
Regardless of Microsoft addressing these vulnerabilities via patches, the legacy protocol’s continued presence in enterprise networks means assaults will persist.
Organizations sustaining NTLM for compatibility with older purposes stay significantly susceptible. Safety groups ought to prioritize migrating to Kerberos, implementing community segmentation, and monitoring for suspicious authentication makes an attempt throughout their Home windows infrastructure.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
