Despite being officially deprecated as of June 2024, Microsoft's NTLM authentication protocol remains widely used, with 64% of Active Directory user accounts still relying on it, highlighting its persistent vulnerabilities.

A newly discovered zero-day vulnerability in NTLM, identified by 0patch, allows attackers to steal NTLM credentials simply by having a user view a malicious file in Windows Explorer, triggering an outbound NTLM connection.

This vulnerability poses a significant risk as it does not require the user to actively open the malicious file, making it easier for attackers to execute authentication relay and dictionary attacks.

When a user views such a malicious file, NTLM hashes of the currently logged-in user are sent to an attacker-controlled share, granting unauthorized access to systems.

The outdated design of NTLM transmits password hashes instead of verifying plaintext passwords, making it susceptible to interception even in NTLM v2 environments.

To enhance security against these vulnerabilities, administrators are encouraged to upgrade to Windows Server 2025, which has Extended Protection for Authentication (EPA) and channel binding enabled by default.

Organizations should enable EPA on services like LDAP and Active Directory Certificate Services (AD CS) to mitigate the risks associated with this vulnerability.

In addition to enabling EPA, monitoring and hardening LDAP configurations, along with implementing SMB signing and encryption, can help prevent NTLM credential leakage.

Conducting audits to identify systems still reliant on NTLM is crucial, and organizations should prioritize transitioning to modern authentication protocols like Kerberos, implementing Multi-Factor Authentication (MFA) where possible.

For organizations still using legacy systems that require NTLM, implementing additional authentication layers and considering Dynamic Risk Based Policies can provide added protection.

This vulnerability affects all versions of Windows from Windows 7 and Server 2008 R2 to Windows 11 24H2 and Server 2022, making it a critical concern for many enterprises.