Critical Elevation of Privilege via NTLMv1 in Windows (CVE-2025-21311)

Overview

CVE-2025-21311 is a critical vulnerability in Microsoft’s implementation of the NTLM version 1 (NTLMv1) authentication protocol. This flaw permits an attacker to gain elevated privileges through network-based exploitation, impacting various supported versions of Windows, including Windows Server 2025 and Windows 11 24H2.

Technical Details

The vulnerability stems from an incorrect implementation of authentication algorithms, categorized under CWE-303: Incorrect Implementation of Authentication Algorithm. Specifically, the use of the outdated and insecure NTLMv1 allows attackers to craft or intercept authentication messages, potentially leading to privilege escalation.

Unlike its successor NTLMv2, NTLMv1 lacks modern cryptographic protections and is more susceptible to relay attacks and credential manipulation. This vulnerability is especially dangerous in domain environments where NTLM is still supported for backward compatibility.

CVSS Score and Severity

This vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical), with the following vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Impact: High on confidentiality, integrity, and availability

This combination indicates that the flaw is easily exploitable and can cause significant harm if leveraged by a malicious actor.

Affected Systems

• Windows Server 2025 (x64, Server Core) – Versions before 10.0.26100.2894
• Windows Server 2022, 23H2 Edition – Versions before 10.0.25398.1369
• Windows 11 24H2 (ARM64 & x64) – Versions before 10.0.26100.2894

Mitigation and Recommendations

Microsoft has addressed this vulnerability in cumulative updates released after January 2025. Organizations should:

• Ensure systems are updated to the latest security patches.
• Disable NTLMv1 wherever possible and enforce the use of NTLMv2 or Kerberos for authentication.
• Audit authentication logs for anomalous NTLM traffic.

Conclusion

CVE-2025-21311 highlights the critical risks of legacy protocol support in modern systems. NTLMv1 has long been deprecated, and its continued use poses serious security threats. Organizations must act quickly to update systems and eliminate NTLMv1 reliance to prevent exploitation.

For more details, refer to the official Microsoft advisory: MSRC: CVE-2025-21311