Microsoft has disclosed a critical vulnerability in the NTLM (NT LAN Manager) authentication protocol that could allow attackers to bypass security controls on Windows systems. CVE-2025-24054, rated 9.8 on the CVSS scale, represents one of the most severe Windows security threats discovered in recent years.

Understanding the NTLM Vulnerability

The vulnerability exists in how Windows implements NTLM authentication, specifically in the protocol's challenge-response mechanism. Attackers can exploit this flaw to:

  • Perform relay attacks to gain unauthorized access
  • Bypass multi-factor authentication protections
  • Elevate privileges on compromised systems
  • Move laterally across enterprise networks

Microsoft's advisory states: "An attacker who successfully exploits this vulnerability could impersonate any user on a target system." This includes domain administrator accounts in Active Directory environments.

Technical Breakdown

How NTLM Normally Works

NTLM authentication involves three steps:
1. Negotiation: Client requests authentication
2. Challenge: Server sends a random number (challenge)
3. Response: Client encrypts challenge with password hash

The Vulnerability Explained

The flaw allows attackers to:
- Intercept legitimate authentication attempts
- Modify the challenge-response sequence
- Force the server to accept manipulated credentials

Affected Systems

All Windows versions supporting NTLM are vulnerable, including:

  • Windows 11 (all versions)
  • Windows 10 (1809 and later)
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016

Mitigation Strategies

Microsoft recommends these immediate actions:

  1. Disable NTLM where possible (use Kerberos instead)
  2. Enable SMB signing to prevent relay attacks
  3. Implement Network Level Authentication (NLA)
  4. Apply the emergency patch (KB5035849)

Enterprise Impact

For organizations, this vulnerability is particularly dangerous because:

  • NTLM is still widely used in legacy systems
  • Many automated processes rely on NTLM authentication
  • Attack chains can bypass traditional security controls

Detection Methods

Security teams should look for:

  • Unusual NTLM authentication patterns
  • Authentication requests from unexpected locations
  • Multiple failed NTLM attempts followed by success

Long-term Solutions

Beyond immediate patching, Microsoft suggests:

  • Phasing out NTLM completely
  • Implementing certificate-based authentication
  • Deploying Windows Hello for Business

Historical Context

This vulnerability follows a pattern of NTLM weaknesses:

  • 2019: CVE-2019-1040 (NTLM relay vulnerability)
  • 2021: CVE-2021-33757 (NTLM tampering flaw)
  • 2023: CVE-2023-32049 (NTLM hash disclosure)

Expert Recommendations

Cybersecurity professionals advise:

  1. Prioritize patching domain controllers first
  2. Monitor for exploitation attempts using SIEM tools
  3. Educate users about phishing risks
  4. Review firewall rules to limit NTLM traffic

Future of NTLM

This vulnerability may finally push organizations to:

  • Accelerate migration to modern authentication
  • Invest in identity protection solutions
  • Implement zero-trust network architectures

Microsoft has stated that NTLM will eventually be deprecated, though no timeline has been provided. This latest vulnerability underscores the urgency of moving to more secure authentication methods.