Windows security faces a new challenge with the discovery of CVE-2025-24996, a critical vulnerability exposing NTLM hashes to potential attackers. This flaw, affecting multiple Windows versions, could enable credential theft, lateral movement, and privilege escalation if exploited.

What is CVE-2025-24996?

CVE-2025-24996 is a spoofing vulnerability in Microsoft's NTLM (NT LAN Manager) authentication protocol that allows attackers to intercept or force the disclosure of password hashes. The vulnerability stems from improper handling of NTLM authentication requests in specific network scenarios.

How the Vulnerability Works

  • Attackers can trick systems into disclosing NTLM hashes through crafted authentication requests
  • Exploitable via man-in-the-middle (MITM) attacks or by luring victims to malicious servers
  • Doesn't require user interaction in some attack scenarios
  • Particularly dangerous in Windows domain environments where NTLM is still widely used

Impact Assessment

Successful exploitation could lead to:
- Credential theft: Obtaining hashes that can be cracked offline
- Lateral movement: Using stolen credentials to access other systems
- Privilege escalation: Gaining higher-level access within networks
- Persistent access: Creating backdoors with stolen credentials

Affected Systems

Microsoft has confirmed the vulnerability affects:
- Windows 10 (all supported versions)
- Windows 11 (all versions)
- Windows Server 2016/2019/2022
- Earlier versions may be vulnerable if NTLM authentication is enabled

Mitigation Strategies

While awaiting official patches, administrators should:

  1. Disable NTLM where possible:
    - Use Group Policy to enforce Kerberos authentication
    - Set Network security: Restrict NTLM policies

  2. Implement network-level protections:
    - Enable SMB signing
    - Configure firewall rules to block unnecessary NTLM traffic
    - Use IPS/IDS systems to detect hash relay attempts

  3. Monitor for suspicious activity:
    - Audit NTLM authentication events (Event ID 4624 with NTLM)
    - Watch for unexpected NTLM traffic between systems

Microsoft's Response

Microsoft has acknowledged the vulnerability and assigned it a CVSS score of 8.1 (High severity). The company is expected to release patches in an upcoming Patch Tuesday update. Until then, they recommend:
- Applying all current security updates
- Reviewing NTLM usage through the NTLM Audit Tool
- Implementing the mitigations mentioned above

Long-term Security Recommendations

Beyond addressing CVE-2025-24996, organizations should:
- Migrate to modern authentication protocols like Kerberos or OAuth
- Implement credential guard on Windows 10/11 and Server 2016+
- Enforce strong password policies to make hash cracking more difficult
- Regularly audit authentication protocols across the network

Detection and Monitoring

Security teams should look for these indicators of potential exploitation:
- Unexpected NTLM authentication attempts
- Authentication requests from unusual IP addresses
- Multiple failed NTLM attempts followed by successful logins
- Unusual lateral movement using NTLM credentials

Historical Context

NTLM vulnerabilities have been a recurring issue in Windows security:
- 2019: CVE-2019-1040 (NTLM relay vulnerability)
- 2021: PetitPotam NTLM relay attacks
- 2023: CVE-2023-29336 (NTLM tampering vulnerability)

This pattern highlights the importance of moving away from NTLM whenever possible.

Frequently Asked Questions

Q: Can this vulnerability be exploited remotely?
A: Yes, in certain network configurations, attackers can exploit this remotely without physical access.

Q: Are home users affected?
A: While possible, the risk is significantly higher in enterprise environments using domain authentication.

Q: How can I check if my system uses NTLM?
A: Run nltest /domain_trusts /all_trusts or check Event Viewer for NTLM authentication events.

Conclusion

CVE-2025-24996 represents another serious vulnerability in the aging NTLM protocol. While mitigations exist, the long-term solution involves migrating to more secure authentication methods. Organizations should act promptly to assess their exposure and implement protective measures while awaiting official patches from Microsoft.