Karl.Fail

Tag: ntlmv1

  • CVE-2025-21311: Critical Elevation of Privilege in Windows NTLM V1

    Overview

    On January 14, 2025, Microsoft disclosed CVE-2025-21311, a critical vulnerability in the NTLM V1 authentication protocol implementation in Windows. The vulnerability allows for elevation of privilege and has been rated with a CVSS v3.1 score of 9.8, placing it in the Critical severity category.

    What is NTLM V1?

    NTLM (NT LAN Manager) is a legacy authentication protocol used in Windows environments. While NTLMv2 is recommended for modern deployments, NTLMv1 is still enabled in some systems for backward compatibility. NTLMv1 has long been known to have cryptographic weaknesses, and CVE-2025-21311 exposes a specific vulnerability in how NTLMv1 is implemented within certain Windows versions.

    Technical Details

    The issue is classified under CWE-303: Incorrect Implementation of Authentication Algorithm. This means the algorithm meant to securely verify identities is flawed, potentially allowing unauthorized users to bypass authentication mechanisms and escalate privileges on affected systems. The vulnerability is remotely exploitable and requires no user interaction or prior access.

    According to the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the vulnerability enables an attacker to:

    • Gain remote access over the network
    • Execute attacks without user interaction
    • Achieve high impact on confidentiality, integrity, and availability

    Affected Versions

    The vulnerability affects the following Windows versions:

    • Windows Server 2025 (Server Core)
    • Windows Server 2022, 23H2 Edition (Server Core)
    • Windows 11 Version 24H2 (ARM64 and x64)

    All affected systems fall between the following version ranges:

    • 10.0.25398.0 to 10.0.25398.1369
    • 10.0.26100.0 to 10.0.26100.2894

    Mitigation

    Microsoft has released patches that should be applied immediately. Additional mitigation strategies include:

    • Disabling NTLMv1 where possible
    • Enforcing modern authentication protocols such as Kerberos
    • Auditing authentication flows to detect legacy usage

    The CISA SSVC assessment indicates that this vulnerability has total technical impact and is automatable, underscoring the urgency for response.

    Conclusion

    CVE-2025-21311 highlights the risks of relying on outdated protocols like NTLMv1. Organizations should prioritize patching affected systems, modernize their authentication infrastructure, and audit configurations to reduce exposure to similar threats in the future.

    More details are available in the official Microsoft advisory.

  • Critical Elevation of Privilege via NTLMv1 in Windows (CVE-2025-21311)

    Overview

    CVE-2025-21311 is a critical vulnerability in Microsoft’s implementation of the NTLM version 1 (NTLMv1) authentication protocol. This flaw permits an attacker to gain elevated privileges through network-based exploitation, impacting various supported versions of Windows, including Windows Server 2025 and Windows 11 24H2.

    Technical Details

    The vulnerability stems from an incorrect implementation of authentication algorithms, categorized under CWE-303: Incorrect Implementation of Authentication Algorithm. Specifically, the use of the outdated and insecure NTLMv1 allows attackers to craft or intercept authentication messages, potentially leading to privilege escalation.

    Unlike its successor NTLMv2, NTLMv1 lacks modern cryptographic protections and is more susceptible to relay attacks and credential manipulation. This vulnerability is especially dangerous in domain environments where NTLM is still supported for backward compatibility.

    CVSS Score and Severity

    This vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical), with the following vector:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    This combination indicates that the flaw is easily exploitable and can cause significant harm if leveraged by a malicious actor.

    Affected Systems

    • Windows Server 2025 (x64, Server Core) – Versions before 10.0.26100.2894
    • Windows Server 2022, 23H2 Edition – Versions before 10.0.25398.1369
    • Windows 11 24H2 (ARM64 & x64) – Versions before 10.0.26100.2894

    Mitigation and Recommendations

    Microsoft has addressed this vulnerability in cumulative updates released after January 2025. Organizations should:

    • Ensure systems are updated to the latest security patches.
    • Disable NTLMv1 wherever possible and enforce the use of NTLMv2 or Kerberos for authentication.
    • Audit authentication logs for anomalous NTLM traffic.

    Conclusion

    CVE-2025-21311 highlights the critical risks of legacy protocol support in modern systems. NTLMv1 has long been deprecated, and its continued use poses serious security threats. Organizations must act quickly to update systems and eliminate NTLMv1 reliance to prevent exploitation.

    For more details, refer to the official Microsoft advisory: MSRC: CVE-2025-21311