New Zero-day Windows NTLM Vulnerability

Summary

A newly identified 0-day vulnerability impacts Windows clients from Windows 7 to Windows 11, allowing attackers to capture NTLM authentication hashes through a variant of previous Windows themes spoofing vulnerabilities. Researchers at ACROS Security discovered this flaw while developing a patch for an earlier vulnerability (CVE-2024-38030). This vulnerability lets attackers coerce vulnerable devices into sharing NTLM hashes via malicious theme files, which can be accessed through shared files or network paths.

Dark Reading Article: https://www.darkreading.com/vulnerabilities-threats/recurring-windows-flaw-could-expose-user-credentials

Disabling NTLM and Security Implications

ACROS recommends disabling NTLM where possible, as it reduces exposure to these coercion attacks. However, doing so can affect systems dependent on NTLM for network connections or legacy applications. Organizations should also use firewalls to block malicious requests from reaching external servers.

Microsoft is investigating this issue, though no patch is available yet. Meanwhile, proactive NTLM management is crucial for mitigating potential attack vectors.

So, can you turn off NTLM? Probably…

What is NTLM?

NTLM (NT LAN Manager) is an older authentication protocol used to validate Windows logins and network access. Designed for early Windows networks, NTLM is still present in Windows systems, though it has been largely replaced by Kerberos in more secure environments. NTLM authenticates users in situations where modern protocols aren’t available, especially in legacy applications and systems.

Windows Versions Using NTLM

NTLM remains compatible with various versions of Windows, especially for backward compatibility in:

• Windows NT and Windows 2000
• Windows XP and Vista
• Windows 7, 8, and 10
• Some configurations in Windows Server environments

While NTLM is enabled by default for compatibility, more recent Windows installations emphasize Kerberos for higher security.

How to Disable NTLM

To disable NTLM, administrators can configure Group Policies in Windows:

1. Open the Group Policy Management Console (GPMC).
2. Navigate to Security Settings > Local Policies > Security Options.
3. Modify Network Security: Restrict NTLM to control NTLM usage, limiting where NTLM can authenticate users.

Disabling NTLM can enhance security, especially against credential-forwarding attacks, though it may affect applications dependent on NTLM authentication.

Systems Dependent on NTLM

While NTLM is increasingly phased out, some legacy applications, network protocols, and services still require it. File sharing in older Windows domains, older SQL Server connections, and some remote access solutions rely on NTLM for authentication. Before disabling NTLM, ensure that critical applications and dependencies are compatible with Kerberos or other protocols to avoid disruptions.

In summary, while NTLM offers compatibility benefits, it can expose credentials, particularly in environments susceptible to pass-the-hash attacks. Organizations should consider limiting NTLM usage or monitoring its activity through logging, reducing exposure to potential vulnerabilities.

• About
• Latest Posts

Follow me

Paul Bergman

CEO at Tracc Development, Inc.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is CEO of AMRAD. He also leads a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity  and board management for both corporate and nonprofit boards.

Follow me

Latest posts by Paul Bergman (see all)

• Would You Ignore a 1-in-3 Chance of a $250,000 Loss? – October 23, 2025
• The cybersecurity reality for SMBs – October 21, 2025
• Protecting Yourself from FinTech Fraud: Five Common Scams and How to Stay Safe – October 14, 2025