Key Findings

• Despite being over two decades old, the NTLM authentication protocol remains a critical security liability in 2025.

• Cybercriminals are actively exploiting newly discovered vulnerabilities to launch sophisticated attacks across the globe.

• One of the most alarming vulnerabilities is CVE-2024-43451, which allows attackers to steal a user's NTLMv2 hash with virtually no interaction.

• The vulnerability abuses the MSHTML engine to trigger an NTLM authentication attempt to an attacker-controlled server simply by being selected, right-clicked, or deleted.

• Specific threat actors like BlindEagle, Head Mare, and Trojan Distribution have weaponized these flaws to target various sectors.

• A high-severity NTLM reflection vulnerability, CVE-2025-33073, allows an internal attacker to trick a system into authenticating against itself, granting them SYSTEM-level privileges.

• The persistence of NTLM in 2025 highlights the challenge of legacy debt in cybersecurity.

Background

In 2001, the cybersecurity world was rocked by the first major NTLM relay attack tool. Fast forward to 2025, and the legacy protocol is still haunting enterprise networks. Kaspersky's latest research highlights a surge in NTLM-related exploits over the past year, despite Microsoft's ongoing efforts to deprecate the protocol.

CVE-2024-43451: The "Clickless" NTLM Exploit

One of the most alarming vulnerabilities detailed in the report is CVE-2024-43451, a flaw that allows attackers to steal a user's NTLMv2 hash with virtually no interaction. The vulnerability abuses the MSHTML engine—a legacy component of Internet Explorer that still exists in Windows for backward compatibility. Attackers can craft malicious .url files that trigger an NTLM authentication attempt to an attacker-controlled server simply by being selected, right-clicked, or deleted.

Threat Actor Weaponization

The report tracks specific threat actors who have weaponized these flaws:

• BlindEagle (Colombia): This APT group targeted Colombian government entities using phishing emails disguised as judicial notifications. They used the .url exploit to silently download and execute the Remcos RAT.

• Head Mare (Russia/Belarus): A hacktivist group targeted the manufacturing and education sectors in Russia. They distributed malicious ZIP files containing .url exploits disguised as "Service Agreements," leading to the deployment of PhantomCore malware.

• Trojan Distribution (Russia): A separate campaign used CVE-2025-24054 to distribute the AveMaria (Warzone) Trojan via malicious .library-ms files hidden inside ZIP archives.

CVE-2025-33073: NTLM Reflection Vulnerability

The most technical finding involves CVE-2025-33073, a high-severity NTLM reflection vulnerability. This flaw allows an internal attacker to trick a system into authenticating against itself, effectively granting them SYSTEM-level privileges. In a documented incident in Uzbekistan's financial sector, an attacker used a crafted DNS hostname to bypass Windows' local authentication checks and coerce the host into authenticating against itself.

The Persistence of NTLM in 2025

The persistence of NTLM in 2025 highlights a critical challenge in cybersecurity: legacy debt. The report concludes that NTLM remains deeply entrenched in Windows environments, continuing to offer cybercriminals opportunities to exploit its long-known weaknesses. Kaspersky experts urge organizations to accelerate their move to Kerberos, enforce SMB signing and EPA (Extended Protection for Authentication), and audit their networks for NTLM traffic to mitigate these threats.

Sources

• https://securityonline.info/zombie-protocol-how-ntlm-flaws-like-cve-2024-43451-are-haunting-2025/

• https://x.com/the_yellow_fall/status/1994225510759768420

• https://x.com/fridaysecurity/status/1994225866264502273