Microsoft has recently issued new guidance aimed at helping organizations defend against NTLM relay attacks, a move that comes shortly after researchers unveiled a concerning zero-day vulnerability affecting all versions of Windows Workstation and Server, from Windows 7 to the latest Windows 11. The relationship between these two developments remains unclear, raising questions about whether they are connected or simply coincidental. Notably, the newly discovered bug, which currently lacks a CVE or CVSS score, is not anticipated to receive a patch for several months.
Windows NTLM Zero-Day Allows Credential Theft
Researchers from ACROS Security have identified a zero-day vulnerability that poses a significant risk across all supported Windows versions. This flaw enables attackers to capture a user’s NTLM credentials merely by tricking them into opening a malicious file through the Windows Explorer file management utility. As Mitja Kolsek, CEO of ACROS Security, explained in a blog post, “Opening a shared folder or USB disk with such a file or viewing the Downloads folder where such a file was previously automatically downloaded from the attacker’s webpage” can lead to credential compromise.
ACROS has chosen to withhold further details about the bug until Microsoft implements a fix. Kolsek noted that the exploitability of the bug hinges on various factors, stating, “It’s not easy to find where the issue is exploitable without actually trying to exploit it.” Microsoft has classified the vulnerability as having moderate or “Important” severity, which is one level below “Critical.” A fix is expected to be rolled out in April, according to Kolsek.
A Microsoft spokesperson acknowledged awareness of the report, assuring that the company will take necessary actions to safeguard its customers. This vulnerability marks the second NTLM credential leak zero-day reported by ACROS to Microsoft since October, following a previous incident involving a Windows Themes spoofing issue that allowed attackers to manipulate victim devices into sending NTLM authentication hashes to their own devices. As of now, Microsoft has not issued a patch for that earlier bug either.
These vulnerabilities are part of a broader trend of NTLM-related issues that have emerged in recent years, including PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and a recent vulnerability affecting an open-source policy enforcement engine.
Legacy Protocol Dangers
Windows NTLM (NT LAN Manager) is a legacy authentication protocol that Microsoft retains in modern Windows systems primarily for backward compatibility. Unfortunately, this protocol has become a frequent target for attackers seeking to exploit its weaknesses to intercept authentication requests and relay them to gain access to other servers or services that the original users can access.
In its advisory released this week, Microsoft characterized NTLM relaying as a “popular attack method used by threat actors that allows for identity compromise.” These attacks typically involve coercing a victim into authenticating to an attacker-controlled endpoint and then relaying that authentication against a vulnerable target server or service. The advisory referenced previous vulnerabilities exploited by attackers, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, which targeted services lacking protections against NTLM relaying attacks.
In response to these threats, Microsoft has updated its guidance on enabling Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server. The latest Windows Server 2025 now comes with EPA enabled by default for both AD CS and LDAP. The advisory emphasized the importance of enabling EPA specifically for Exchange Server, given its “unique role in the NTLM threat landscape.” Microsoft pointed to recent vulnerabilities, including CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563, as examples of exploits that attackers have leveraged for NTLM coercion.
Kolsek expressed uncertainty regarding whether Microsoft’s recent recommendations for protecting against NTLM attacks are related to his recent bug disclosure. He advised, “If possible, follow Microsoft’s recommendations on mitigating NTLM-related vulnerabilities.” For those unable to do so, he suggested considering 0patch, which offers free micropatches for vulnerabilities, particularly in older and unsupported software products.
