NTLM Archives

Winsage

April 30, 2026

CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202)

Attackers are exploiting CVE-2026-32202, a zero-click vulnerability in Windows Shell, allowing authentication of victims' systems without user interaction. This vulnerability stems from an incomplete patch for CVE-2026-21510 and has been used by the APT28 group with weaponized LNK files to bypass Windows security. Although Microsoft addressed these vulnerabilities in February 2026, the risk remains as opening a folder with a malicious LNK file can still connect victims' machines to the attacker's server, initiating an NTLM authentication handshake that exposes the victim’s Net-NTLMv2 hash. This affects various versions of Windows 10, 11, and Windows Server. Microsoft released a patch for CVE-2026-32202 on April 14, 2026, but did not label it as actively exploited until more than two weeks later, leaving security teams unaware of its urgency. Organizations are advised to apply the patch and consider blocking outbound SMB traffic to mitigate risks.

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.

Winsage

April 9, 2026

BlueHammer: Windows zero-day exploit leaked

A proof-of-concept (PoC) exploit called BlueHammer has been released on GitHub, targeting an unpatched local privilege escalation vulnerability in Windows. The exploit, attributed to users Chaotic Eclipse and Nightmare Eclipse, has been modified by security researchers to work on updated versions of Windows 10, 11, and Windows Server. The exploit manipulates Microsoft Defender to create a Volume Shadow Copy, allowing access to sensitive registry files and enabling the extraction of NTLM password hashes. This facilitates the alteration of a local Administrator's password and subsequent login. The exploit can duplicate the Administrator's security token and create a malicious Windows Service that runs with SYSTEM privileges. While there are no reports of BlueHammer being exploited by malicious actors, researchers warn that such PoC code can be weaponized quickly. Microsoft has committed to investigating reported security issues related to this vulnerability.

Winsage

March 2, 2026

NTLM is going away: what Microsoft’s phaseout means for MSPs and IT teams

The migration from NTLM to Kerberos authentication is essential for improving security in Windows systems, but it faces challenges such as legacy systems and hardcoded authentication. Organizations must identify NTLM usage, conduct testing with NTLM disabled, and make necessary adjustments or upgrades to migrate successfully. Ongoing monitoring is crucial post-migration to prevent NTLM from re-entering the network. NTLM is associated with significant security vulnerabilities and has been exploited by various threat groups, making its elimination a priority for organizations despite potential hesitations to invest in the migration process. Transitioning to Kerberos is seen as a strategic security investment.

Winsage

January 30, 2026

Microsoft to disable NTLM by default in future Windows releases

Microsoft will disable the NTLM authentication protocol by default in the next major Windows Server release and associated Windows client versions. NTLM, introduced in 1993, has been vulnerable to various cyberattacks, including NTLM relay and pass-the-hash attacks. The transition plan includes three phases: enhanced auditing tools in Windows 11 24H2 and Windows Server 2025, new features like IAKerb and a Local Key Distribution Center in late 2026, and eventually disabling network NTLM by default in future releases. NTLM will remain in the operating system but will not be used automatically. Microsoft deprecated NTLM authentication in July 2024 and has encouraged developers to transition to Kerberos or Negotiation authentication.

Winsage

November 5, 2025

Microsoft warns Windows 11 25H2, 24H2 October update triggers BitLocker recovery on PCs for businesses

Microsoft has acknowledged a significant issue affecting users of BitLocker on Windows 11 versions 25H2 and 24H2, as well as Windows 10, which may prompt users to enter their BitLocker recovery key during startup, risking data loss if the key is not available. The problem arises after installing Windows Updates released on or after October 14, 2025, and predominantly affects Intel-based PCs with the "Connected Standby" feature. Affected users can check if BitLocker is enabled by navigating to Settings > System > Storage > Disk & Volumes. Microsoft is rolling out a fix, but business users must manually deploy it. Users are advised to back up their BitLocker recovery keys to their Microsoft accounts.

Winsage

November 3, 2025

Microsoft Sounds Windows 11 And Server Update Failure Alarm

Microsoft has confirmed that users of Windows 11 and Windows Server are experiencing authentication failures due to updates released on or after August 29. This issue, detailed in Microsoft Support posting KB5070568, is linked to duplicate Security IDs (SIDs) on devices, affecting Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025. The problem arises from new security protections that enforce checks on SIDs, which are necessary to maintain user account integrity and prevent unauthorized access. Duplicate SIDs typically result from unsupported cloning or duplication of a Windows installation without using the Sysprep tool. The recent update mandates SID uniqueness, blocking authentication handshakes between devices with duplicate SIDs. To resolve this, users must rebuild their devices using supported methods for cloning or duplicating a Windows installation to ensure unique SIDs.

Winsage

October 26, 2025

Microsoft admits File Explorer Preview pane won’t work in Windows 11 25H2 for internet files by default

Microsoft has disabled the preview feature for files downloaded from the internet in the File Explorer Preview pane for Windows 11 versions 25H2 and 24H2, as well as in the latest Windows 10 update, due to security concerns. Users can still preview locally created files, but attempting to preview internet-downloaded files will trigger a warning message. The decision to disable previews for these files is intended to prevent potential security vulnerabilities, specifically a risk of NTLM hash leaks. Files marked with a “Mark of the Web (MotW)” tag, which indicates they were downloaded from various sources, will be blocked from previewing. Users can unblock previews for trusted files by right-clicking the file, selecting Properties, and checking the ‘Unblock’ option. A PowerShell script is also available to unblock all files in a specific directory. This update is part of the Windows October 2025 Patch Tuesday.

Winsage

October 26, 2025

Microsoft Warning—Do Not Open These Files On A Windows PC

Effective October 14, Microsoft will automatically disable the preview feature in File Explorer for files downloaded from the internet that are marked with a "Mark of the Web (MotW)." This measure addresses vulnerabilities related to "NTLM hash leakage," which could allow attackers to exploit the preview feature to capture sensitive credentials. Users must manually unblock these files by accessing the Properties settings. The change will take effect after the next login, and users can also unblock all files from a specific file share address, although this will relax security measures for those files.

Winsage

October 24, 2025

Microsoft Boosts Windows Security by Disabling File Preview for Downloads

Microsoft is implementing a security update for Windows File Explorer starting October 14, 2025, which will automatically disable the preview pane for files downloaded from the internet. This measure aims to address a vulnerability that could expose users' NTLM hashes, which are sensitive credentials used for network authentication. The update utilizes the “Mark of the Web” attribute to prevent previews of untrusted files, displaying a warning message instead. Local documents and files from trusted sources will still display previews normally. Users can override this protection for trusted downloads by unblocking the file in its properties. IT administrators can also add file shares to Local Intranet or Trusted Sites, although this should only be done for verified networks. The update enhances security in enterprise environments while maintaining usability.