Ddos 
A new report from Kaspersky Labs reveals that despite being over two decades old, the NTLM authentication protocol remains a critical security liability in 2025. Cybercriminals are actively exploiting newly discovered vulnerabilities to launch sophisticated attacks across the globe.
It feels like 2001 all over again. Back when Windows XP was brand new and the iPod was just launching, the cybersecurity world was rocked by the first major NTLM relay attack tool. Fast forward to 2025, and the legacy protocol is still haunting enterprise networks.
Kaspersky’s latest research highlights a surge in NTLM-related exploits over the past year. Despite Microsoft’s ongoing efforts to deprecate the protocol, it remains deeply embedded in modern infrastructure, providing a reliable entry point for attackers.
One of the most alarming vulnerabilities detailed in the report is CVE-2024-43451, a flaw that allows attackers to steal a user’s NTLMv2 hash with virtually no interaction.
The vulnerability abuses the MSHTML engine—a legacy component of Internet Explorer that still exists in Windows for backward compatibility. Attackers can craft malicious .url files that trigger an NTLM authentication attempt to an attacker-controlled server simply by being selected, right-clicked, or deleted.
“While directly opening the malicious .url file reliably triggers the exploit, the vulnerability may also be activated through alternative user actions such as right-clicking, deleting, single-clicking, or just moving the file,” the report explains.
The report tracks specific threat actors who have weaponized these flaws:
- BlindEagle (Colombia): This APT group targeted Colombian government entities using phishing emails disguised as judicial notifications. They used the .url exploit to silently download and execute the Remcos RAT, bypassing traditional SMB blocks by using WebDAV over port 80.
- Head Mare (Russia/Belarus): A hacktivist group targeted the manufacturing and education sectors in Russia. They distributed malicious ZIP files containing .url exploits disguised as “Service Agreements,” leading to the deployment of PhantomCore malware.
- Trojan Distribution (Russia): A separate campaign used CVE-2025-24054 to distribute the AveMaria (Warzone) Trojan via malicious .library-ms files hidden inside ZIP archives.
Perhaps the most technical finding involves CVE-2025-33073, a high-severity NTLM reflection vulnerability. This flaw allows an internal attacker to trick a system into authenticating against itself, effectively granting them SYSTEM-level privileges.
In a documented incident in Uzbekistan’s financial sector, an attacker used a crafted DNS hostname to bypass Windows’ local authentication checks. This allowed them to “coerce the host into authenticating against itself and obtain a SYSTEM token,” which they then used to dump the LSASS memory and steal credentials.
The persistence of NTLM in 2025 highlights a critical challenge in cybersecurity: legacy debt.
“In 2025, NTLM remains deeply entrenched in Windows environments, continuing to offer cybercriminals opportunities to exploit its long-known weaknesses,” the report concludes.
Kaspersky experts urge organizations to accelerate their move to Kerberos, enforce SMB signing and EPA (Extended Protection for Authentication), and audit their networks for NTLM traffic. As the report warns: “Otherwise, NTLM will remain a convenient and recurring entry point for attackers.”
Related Posts:
- Microsoft Addresses Critical Zero-Day Vulnerabilities in November Patch Tuesday
- Right-Click to Hack: Zero-Day CVE-2024-43451 Vulnerability Targets Windows Users
- Critical Microsoft Access Vulnerability Exploited for NTLM Token Theft
- From Magecart Mayhem to Ransomware Revamp: Inside ESET’s H2 2023 Cyber Threatscape
Donate