A recent zero-day vulnerability in NTLM has been discovered by researchers at 0patch. This vulnerability allows attackers to steal NTLM credentials without the user needing to open the file, simply by viewing a specially crafted malicious file in Windows Explorer. The stolen password hashes can then be used for authentication relay attacks or for dictionary attacks to take over user identities.
Despite being officially deprecated by Microsoft, our research shows that 64% of Active Directory user accounts still regularly authenticate with NTLM. This widespread use of NTLM, even in environments using NTLM v2, poses a significant risk to enterprises that have not yet transitioned to Kerberos.
To address this vulnerability, enterprise defenders should consider implementing dynamic access policies, hardening steps, and multifactor authentication (MFA) to mitigate the risk of exploitation. Upgrading to a more secure protocol, where possible, can eliminate the vulnerability altogether.
What Is the NTLM Vulnerability?
When a user views a malicious file in Windows Explorer, an outbound NTLM connection is triggered, sending the NTLM hashes of the logged-in user to a remote attacker-controlled share. These stolen NTLM hashes can be used for authentication relay attacks or dictionary attacks, granting unauthorized access to sensitive systems.
The vulnerability affects all Windows versions from Windows 7 to the latest Windows 11 and Server 2022. The outdated design of NTLM, which transmits password hashes instead of verifying plaintext passwords, makes it vulnerable to interception and exploitation.
What Defenders Need to Do
To mitigate this vulnerability, Microsoft has updated guidance on enabling Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. Administrators can manually enable EPA for AD CS and channel binding for LDAP on Windows Server 2022 and 2019.
Organizations still reliant on NTLM should consider additional authentication layers, such as dynamic risk-based policies, to protect legacy systems. It is recommended to harden LDAP configurations, monitor SMB traffic, and transition away from NTLM to more modern authentication protocols like Kerberos.
By taking these steps, organizations can address the vulnerabilities in NTLM and enhance their overall security posture.
