More than twenty years after its weaknesses were first identified, the NTLM authentication protocol continues to endanger Windows environments worldwide. What began as a theoretical issue in 2001 has evolved into an active global threat, with attackers weaponizing multiple NTLM flaws to steal credentials, gain unauthorized access, and move laterally across enterprise networks.
Despite Microsoft’s plans to retire NTLM in Windows 11 24H2 and Windows Server 2025, the protocol remains deeply embedded in millions of systems—making it a lucrative target for modern cybercriminals.
Why NTLM Still Poses a Critical Security Risk
The New Technology LAN Manager (NTLM) protocol was originally designed to authenticate users and servers using a challenge-response handshake. Over time, however, its outdated mechanisms have made it vulnerable to multiple exploitation methods.
Its continued use—especially for compatibility with legacy applications—creates a persistent entry point for attackers.
Modern NTLM vulnerabilities allow:
- Hash leakage attacks
- Coercion-based authentication attacks
- Pass-the-Hash and credential forwarding
- Privilege escalation to SYSTEM level
- NTLM relay man-in-the-middle attacks
These flaws remain under heavy exploitation across different regions and industries.
Multiple NTLM Attack Vectors Under Active Exploitation
Several high-impact Windows vulnerabilities connected to NTLM have been observed in active cyber campaigns during 2024 and 2025.
CVE Overview
| CVE ID | Severity | Affected Systems | Impact | Known Campaigns |
|---|---|---|---|---|
| CVE-2024-43451 | High | Windows (multiple versions) | NTLM hash leakage, credential theft | BlindEagle (Remcos RAT), Head Mare |
| CVE-2025-24054 / CVE-2025-24071 | High | Windows 11, Windows Server | Hash leakage, unauthorized access | Trojan distribution in Russia (AveMaria/Warzone) |
| CVE-2025-33073 | High | Windows SMB client | Privilege escalation to SYSTEM | Uzbekistan financial sector attacks |
How Attackers Exploit These NTLM Vulnerabilities
1. Hash Leakage via Malicious Files (CVE-2024-43451)
This vulnerability allows attackers to steal NTLMv2 authentication hashes through malicious .url files.
Even minimal interaction—such as clicking or hovering—forces Windows to automatically authenticate to an attacker-controlled WebDAV server.
Recent campaigns exploiting this flaw include:
- BlindEagle APT, distributing the Remcos RAT to Colombian victims
- Head Mare hacktivists targeting organizations in Russia and Belarus
2. Automatic NTLM Authentication Through ZIP Files (CVE-2025-24054 / CVE-2025-24071)
These flaws target .library-ms files packaged inside ZIP archives.
When opened, Windows automatically attempts authentication to a malicious server, enabling attackers to steal hashes and deploy malware.
Security researchers have observed these vulnerabilities used in Russia to distribute AveMaria (Warzone) Trojan payloads.
3. SYSTEM-Level Privilege Escalation Through Reflection (CVE-2025-33073)
One of the most dangerous NTLM-related vulnerabilities, CVE-2025-33073 misuses DNS records to trick Windows into treating external authentication requests as internal.
This bypasses key security checks and grants attackers SYSTEM-level privileges, enabling full device compromise.
Suspicious exploitation was detected in Uzbekistan’s financial sector, suggesting targeted regional campaigns.
Why NTLM Relay Attacks Remain a Top Threat
NTLM relay attacks—a type of man-in-the-middle compromise—have remained effective for over two decades.
Attackers intercept authentication traffic, relay it to legitimate servers, and capture credentials without ever needing the actual password.
Combined with Pass-the-Hash, these methods allow:
- Lateral movement across networks
- Access to sensitive servers
- Privilege escalation
- Deployment of ransomware or RATs
Mitigation: Why Organizations Must Move Away From NTLM
Even with Microsoft issuing patches for these NTLM vulnerabilities, the real challenge lies in NTLM’s continued presence in enterprise networks.
Organizations that maintain NTLM for legacy compatibility face the highest risk.
Recommended Security Measures
- Migrate to Kerberos authentication wherever possible
- Disable NTLM on modern systems
- Implement strict network segmentation
- Monitor for suspicious authentication attempts
- Use SMB signing and Extended Protection for Authentication
- Enforce strong outbound firewall rules to block unauthorized traffic
As long as legacy NTLM authentication remains operational, attackers will continue to exploit it.
