Researchers at 0patch have recently uncovered a new zero-day vulnerability in the NTLM protocol that poses a serious threat to Windows users. This vulnerability allows attackers to steal NTLM credentials without the user even opening a malicious file. By simply viewing the specially crafted file in Windows Explorer, users unknowingly trigger an outbound NTLM connection that sends their password hashes to a remote attacker-controlled share.
NTLM, a suite of deprecated authentication protocols from Microsoft, is still widely used despite its known vulnerabilities. In fact, research indicates that 64% of Active Directory user accounts regularly authenticate with NTLM, highlighting the pervasive nature of this outdated technology.
The discovered flaw affects all Windows versions up to the latest Windows 11 24H2 and Server 2022, making it a pervasive issue for enterprises that have not yet transitioned to more secure authentication methods like Kerberos. Even environments using NTLM v2 are at risk, as the vulnerability can be exploited regardless of the protocol version.
Given that Microsoft may not immediately patch this zero-day vulnerability, it is crucial for enterprise defenders to take proactive measures to safeguard their systems. Implementing Dynamic Access Policies, hardening security configurations, and enabling Multi-Factor Authentication (MFA) are recommended steps to limit the risk of exploitation. Upgrading to newer protocols where feasible can also eliminate the vulnerability altogether.
The fundamental weakness of NTLM lies in its outdated design, which transmits password hashes instead of verifying plaintext passwords. Even the stronger encryption used in NTLM v2 does not fully protect against interception and exploitation by cyber attackers. The lack of modern security features like MFA leaves systems vulnerable to credential theft techniques like pass-the-hash and hash relaying.
To mitigate the risk posed by this vulnerability, Microsoft has updated guidance on enabling Extended Protection for Authentication in various services like LDAP, Active Directory Certificate Services, and Exchange Server. Administrators can manually enable EPA for AD CS and channel binding for LDAP on Windows Server 2022 and 2019. Additionally, moving to the latest Windows Server 2025 version, which includes EPA and channel binding by default, is recommended.
While some organizations may still rely on NTLM due to legacy systems, additional authentication layers like Dynamic Risk Based Policies can enhance security for these systems. Harden LDAP configurations, monitor SaaS environments for NTLMv2 usage, and restrict or disable NTLM authentication via Group Policy to reduce the risk of unauthorized access.
By leaving NTLM behind and transitioning to modern authentication protocols like Kerberos, organizations can address the fundamental flaws in NTLM and bolster their overall security posture. Implementing these recommendations will help defend against exploitation of the NTLM vulnerability and protect sensitive systems from malicious actors.