More than two decades after its initial discovery, the NTLM authentication protocol continues to plague Windows systems worldwide.
What started in 2001 as a theoretical vulnerability has evolved into a widespread security crisis, with attackers actively weaponizing multiple NTLM flaws to compromise networks across different regions.
The New Technology LAN Manager (NTLM) protocol was designed to authenticate clients and servers in Windows environments using a three-step handshake.
Although Microsoft has announced plans to retire NTLM entirely, beginning with Windows 11 24H2 and Windows Server 2025, the protocol remains embedded in millions of systems.
This persistence creates an open window for cybercriminals who continue to discover and exploit new vulnerabilities in NTLM’s outdated mechanisms.
Multiple Attack Vectors Under Active Exploitation
NTLM flaws enable several dangerous attack techniques. Hash leakage occurs when attackers craft malicious files that trick Windows into sending authentication hashes without requiring user interaction.
CVE IDSeverityAffected SystemsImpactKnown CampaignsCVE-2024-43451HighWindows (Multiple Versions)Hash Leakage, Credential CompromiseBlindEagle (Remcos RAT), Head MareCVE-2025-24054/CVE-2025-24071HighWindows 11, Windows ServerHash Leakage, Unauthorized AccessTrojan Distribution in Russia (AveMaria/Warzone)CVE-2025-33073HighWindows (SMB Client)Privilege Escalation to SYSTEM LevelUzbekistan Financial Sector Attack
Coercion-based attacks force systems to authenticate to attacker-controlled services.
Once credentials are compromised, attackers use credential-forwarding techniques such as Pass-the-Hash to move laterally across networks and escalate privileges without knowing the actual passwords.
Man-in-the-middle attacks remain particularly effective, with NTLM relay remaining the most impactful method for two decades. Attackers position themselves between clients and servers to intercept authentication traffic and capture credentials.
Security researchers have identified several critical NTLM vulnerabilities that are currently being actively exploited in 2024 and 2025.
CVE-2024-43451 enables NTLMv2 hash leakage through malicious .url files. Simply interacting with these files clicking, right-clicking, or moving them automatically connects to attacker servers running WebDAV.
The BlindEagle APT group exploited this vulnerability to distribute the Remcos RAT to Colombian targets. At the same time, the Head Mare hacktivists exploited it against Russian and Belarusian organizations.
CVE-2025-24054 and CVE-2025-24071 target .library-ms files inside ZIP archives, causing automatic NTLM authentication to attacker-controlled servers. Researchers detected campaigns in Russia distributing the AveMaria Trojan using this method.
CVE-2025-33073 represents a hazardous reflection attack. Attackers manipulate DNS records to trick Windows into treating external authentication requests as local, bypassing regular security checks and granting SYSTEM-level privileges.
According to SecureList, suspicious activity exploiting this vulnerability was detected in Uzbekistan’s financial sector.
Despite Microsoft addressing these vulnerabilities through patches, the legacy protocol’s continued presence in enterprise networks means attacks will persist.
Organizations maintaining NTLM for compatibility with older applications remain particularly vulnerable. Security teams should prioritize migrating to Kerberos, implementing network segmentation, and monitoring for suspicious authentication attempts across their Windows infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Exploit NTLM Authentication Flaws to Target Windows Systems appeared first on Cyber Security News.
