- Platform
OVERVIEW
Capabilities
- Solutions
USE CASES
- Cyber Risk Hub
LIBRARY
- Company
GET TO KNOW US
- Pricing
In the rapidly evolving world of cybersecurity, legacy protocols often present critical vulnerabilities that attackers exploit to compromise systems. One such threat has been identified in Microsoft’s NTLM authentication protocol. With NTLM being a legacy standard, the exploitation of its weaknesses, especially in relay attacks, underscores the need for swift and robust mitigation measures. This blog post delves into the details of the recently disclosed NTLM Zero-Day, its implications, and how organizations can safeguard against this risk.
Legacy protocols often present critical vulnerabilities that attackers exploit to compromise systems. One such threat has been identified in Microsoft’s NTLM authentication protocol.
With NTLM being a legacy standard, the exploitation of its weaknesses, especially in relay attacks, underscores the need for swift and robust mitigation measures. This blog post delves into the details of the recently disclosed NTLM Zero-Day, its implications, and how organizations can safeguard against this risk.
While Microsoft has already announced its plans to kill off the NTLM authentication protocol in Windows 11 in the future, 0patch notes that this is the third zero-day vulnerability they recently reported to the software giant, wich the vendor has not taken immediate action to address.
At its core, an NTLM relay attack involves two critical steps:
Coercion: The attacker tricks a victim into authenticating with a rogue endpoint by embedding malicious links or exploiting protocol weaknesses.
Relaying: The captured authentication credentials are forwarded to a legitimate target service vulnerable to NTLM relaying.
This vulnerability enables attackers to authenticate on behalf of the victim and execute commands with the same privileges, compromising the target service.
In response, Microsoft has emphasized Extended Protection for Authentication (EPA), a mitigation mechanism that strengthens authentication by binding the NTLM authentication process to specific endpoints.
By enabling EPA by default in Exchange Server 2019 (CU14) and Windows Server 2025, Microsoft has significantly reduced the risk of NTLM relay attacks in environments leveraging these services.
Organizations utilizing on-premises Exchange Server, AD CS, or LDAP are particularly at risk. These services are commonly targeted by NTLM relay attacks due to their widespread use and the potential access they provide to critical resources.
Key indicators of vulnerability include:
Older versions of Exchange Server without EPA enabled by default.
Active Directory environments relying on AD CS without channel binding.
LDAP configurations lacking channel binding settings.
For organizations using legacy systems, it is imperative to assess configurations and ensure that NTLM mitigations are enabled where possible. Vulnerable environments can be identified through auditing tools or Microsoft-provided guidance.
While Microsoft has not reported active exploitation of this specific Zero-Day at the time of publication, NTLM relay attacks are a well-documented tactic employed by threat actors. Notable examples include CVE-2023-23397, where Outlook vulnerabilities were used to relay credentials to Exchange Server, and CVE-2021-36942, which targeted AD CS.
The recurrence of such attacks highlights the critical need for preemptive security measures to prevent potential exploitation. Organizations are urged to proactively implement the latest updates and monitor for unusual authentication behavior that could indicate relaying activities.
To safeguard against NTLM relay attacks and this Zero-Day vulnerability, organizations should adopt the following measures:
Enable EPA by Default – Ensure Exchange Server 2019 (CU14) is updated to enable EPA. For Exchange Server 2016, scripts provided by Microsoft can be used to activate EPA manually.
Update to Windows Server 2025 – This version includes EPA and channel binding enabled by default for AD CS and LDAP. These changes significantly reduce the attack surface for NTLM relay threats.
Audit NTLM Usage – Leverage auditing tools to identify systems still relying on NTLM and plan a transition to more secure authentication protocols like Kerberos.
Harden LDAP Configurations: Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.
Remove NTLM Dependencies – Begin migrating services away from NTLM to reduce reliance on this legacy protocol and minimize exposure to its vulnerabilities.
Microsoft has provided detailed documentation on these steps, ensuring organizations have the resources to address NTLM relay risks effectively.
This Zero-day follows another security flaw CVE-2024-43451, an NTLM Hash Disclosure spoofing vulnerability reported by ClearSky security researchers exploited in the wild. If exploited, the flaw would allow to steal the logged-in user’s NTLMv2 hash by forcing connections to a remote attacker-controlled server.
The NTLM Zero-Day underscores the importance of proactive security measures and the elimination of legacy protocol dependencies. Microsoft’s introduction of EPA by default for critical services like Exchange Server, AD CS, and LDAP marks a significant step forward in hardening against NTLM relay attacks.
However, organizations must also take ownership of their security posture by updating to supported software versions, enabling mitigations, and transitioning to modern authentication protocols. By addressing NTLM vulnerabilities now, enterprises can stay ahead of attackers and secure their environments against future threats.
For more technical insights, consult Microsoft’s official blog post on NTLM Relay Mitigations.
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: