The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.
Microsoft has released fresh guidance to organizations on how to mitigate NTLM relay attacks by default, days after researchers reported finding a NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, from Windows 7 to current Windows 11 versions.
However, it was not immediately clear if the two developments are related or purely coincidental in terms of timing. In any event, the bug, which doesn’t yet have a CVE or CVSS score, is not expected to be patched for months.
Windows NTLM Zero-Day Allows Credential Theft
Researchers from ACROS Security reported finding a zero-day bug in all supported Windows versions. The bug allows an attacker to grab a user’s NTLM credentials simply by getting the user to view a malicious file via the Windows Explorer file management utility.
“Opening a shared folder or USB disk with such file or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s Web page” is all it takes for credential compromise, Mitja Kolsek, CEO of ACROS Security wrote in a blog post.
ACROS said it would not release any further information on the bug until Microsoft has a fix for it. But Kolsek tells Dark Reading that an attacker’s ability to exploit the bug depends on various factors.
“It’s not easy to find where the issue is exploitable without actually trying to exploit it,” he explains. Microsoft has assessed the vulnerability as being of moderate or “Important” severity, a designation that is one notch lower than “Critical” severity bugs. The company plans to issue a fix for it in April, Kolsek says.
In an emailed comment, a Microsoft spokesman said the company is “aware of the report and will take action as needed to help keep customers protected.”
The bug is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The previous one involved a Windows Themes spoofing issue and allowed attackers a way to coerce victim devices into sending NTLM authentication hashes to attacker-controlled devices. Microsoft has not yet issued a patch for that bug either.
The bugs are among several NTLM-related issues that have surfaced in recent years including PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and, recently, one affecting the open source policy enforcement engine.
Legacy Protocol Dangers
Windows NTLM (NT LAN Manager) is a legacy authentication protocol that Microsoft includes in modern Windows for backward compatibility purposes. Attackers have frequently targeted weaknesses in the protocol to intercept authentication requests and forward or “relay” them to access other servers or services to which the original users have access.
In its advisory this week, Microsoft described NTLM-relaying as a “popular attack method used by threat actors that allows for identity compromise.” The attacks involve coercing a victim to authenticate to an attacker-controlled endpoint and relaying the authentication against a vulnerable target server or service. The advisory pointed to vulnerabilities that attackers have used previously, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, to exploit service that lack protections against NTLM-relaying attacks.
In response to such attacks, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server, the company said. The latest Windows Server 2025 ships with EPA enabled by default for both AD CS and LDAP.
The advisory highlighted the need for organizations to enable EPA specially for Exchange Server, given the “unique role that Exchange Server plays in the NTLM threat landscape.” The company pointed to CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of recent vulnerabilities that attackers have exploited for NTLM coercion purposes. “Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them,” the company says.
Kolsek says it’s unclear if Microsoft’s advice for protecting against NTLM attacks has anything to do with his recent bug disclosure. “[But] if possible, follow Microsoft’s recommendations on mitigating NTLM-related vulnerabilities,” he says. “If not, consider 0patch,” he adds, referring to the free micropatches that his company provides for vulnerabilities, especially in older and no longer supported software products.
