Karl.Fail

CVE-2025-21311: Critical Elevation of Privilege in Windows NTLM V1

Written by

Karl

in

on

(Last update:

)

Overview

On January 14, 2025, Microsoft disclosed CVE-2025-21311, a critical vulnerability in the NTLM V1 authentication protocol implementation in Windows. The vulnerability allows for elevation of privilege and has been rated with a CVSS v3.1 score of 9.8, placing it in the Critical severity category.

What is NTLM V1?

NTLM (NT LAN Manager) is a legacy authentication protocol used in Windows environments. While NTLMv2 is recommended for modern deployments, NTLMv1 is still enabled in some systems for backward compatibility. NTLMv1 has long been known to have cryptographic weaknesses, and CVE-2025-21311 exposes a specific vulnerability in how NTLMv1 is implemented within certain Windows versions.

Technical Details

The issue is classified under CWE-303: Incorrect Implementation of Authentication Algorithm. This means the algorithm meant to securely verify identities is flawed, potentially allowing unauthorized users to bypass authentication mechanisms and escalate privileges on affected systems. The vulnerability is remotely exploitable and requires no user interaction or prior access.

According to the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the vulnerability enables an attacker to:

  • Gain remote access over the network
  • Execute attacks without user interaction
  • Achieve high impact on confidentiality, integrity, and availability

Affected Versions

The vulnerability affects the following Windows versions:

  • Windows Server 2025 (Server Core)
  • Windows Server 2022, 23H2 Edition (Server Core)
  • Windows 11 Version 24H2 (ARM64 and x64)

All affected systems fall between the following version ranges:

  • 10.0.25398.0 to 10.0.25398.1369
  • 10.0.26100.0 to 10.0.26100.2894

Mitigation

Microsoft has released patches that should be applied immediately. Additional mitigation strategies include:

  • Disabling NTLMv1 where possible
  • Enforcing modern authentication protocols such as Kerberos
  • Auditing authentication flows to detect legacy usage

The CISA SSVC assessment indicates that this vulnerability has total technical impact and is automatable, underscoring the urgency for response.

Conclusion

CVE-2025-21311 highlights the risks of relying on outdated protocols like NTLMv1. Organizations should prioritize patching affected systems, modernize their authentication infrastructure, and audit configurations to reduce exposure to similar threats in the future.

More details are available in the official Microsoft advisory.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


More posts