CVE-2024-43451 Overview
CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability affecting Microsoft Windows operating systems. The flaw allows a remote attacker to coerce a victim's machine into disclosing the user's NTLMv2 hash through minimal interaction with a malicious file. Successful exploitation exposes credential material that can be relayed or cracked offline to impersonate the user. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The vulnerability is tracked under [CWE-73: External Control of File Name or Path].
Critical Impact
An unauthenticated remote attacker can capture a user's NTLMv2 hash with minimal user interaction (such as right-clicking, deleting, or moving a crafted file), enabling pass-the-hash and credential relay attacks against Active Directory environments.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2024-11-12 - CVE-2024-43451 published to NVD and addressed in Microsoft's November 2024 Patch Tuesday
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2024-43451
Vulnerability Analysis
The vulnerability resides in Windows MSHTML platform handling of specific file types. When a user interacts with a specially crafted file, Windows initiates an outbound authentication attempt to an attacker-controlled server. The client transmits the user's NTLMv2 hash as part of the authentication handshake. Unlike traditional NTLM relay vectors, exploitation does not require the victim to open or execute the file. Reported triggers include single-clicking, right-clicking, or simply deleting the malicious file, which lowers the user interaction barrier significantly. Once captured, the NTLMv2 hash can be relayed to other services or subjected to offline cracking, providing a foothold for lateral movement and Active Directory compromise.
Root Cause
The root cause maps to [CWE-73: External Control of File Name or Path]. The affected component processes a path or URL embedded in a crafted file and initiates an SMB or WebDAV connection to an external host without sufficient validation. This forces the operating system to perform NTLM authentication against an untrusted destination, leaking credential material to the remote endpoint.
Attack Vector
The attack vector is network-based and requires limited user interaction. An attacker delivers a crafted file through phishing email, a compromised website, or a removable medium. Public reporting attributes in-the-wild exploitation to threat actors distributing malicious archives containing internet shortcut (.url) files that point to attacker-controlled WebDAV or SMB shares. When the user performs a minimal action on the file, the system contacts the external host, completes NTLM authentication, and discloses the NTLMv2 hash. The attacker then uses the captured hash for relay attacks or offline password cracking. Refer to the Microsoft Security Update Guide and the CISA Known Exploited Vulnerabilities Catalog for additional technical context.
Detection Methods for CVE-2024-43451
Indicators of Compromise
- Outbound SMB (TCP 445) or WebDAV (TCP 80/443) traffic from endpoints to untrusted external IP addresses or domains.
- Unexpected .url files or internet shortcuts in email attachments, downloads, or removable media.
- Windows Security event ID 4624 or 4625 logon attempts referencing external hosts during NTLM authentication.
- Outbound NTLM authentication negotiation initiated immediately after user file interaction events.
Detection Strategies
- Monitor for endpoints initiating outbound SMB or WebDAV connections to non-corporate destinations, particularly following file system interaction events.
- Hunt for .url files containing file://, \\\\, or WebDAV-style paths pointing to external hosts.
- Correlate process creation events for explorer.exe and rundll32.exe with subsequent network connections to external SMB or WebDAV endpoints.
Monitoring Recommendations
- Enable NTLM auditing through Group Policy and forward Microsoft-Windows-NTLM/Operational logs to a central SIEM for analysis.
- Alert on any successful NTLM authentication that targets a host outside the corporate domain or trusted forest.
- Track email gateway telemetry for archives (.zip, .rar, .iso) containing .url shortcut files delivered to end users.
How to Mitigate CVE-2024-43451
Immediate Actions Required
- Apply the November 2024 Microsoft security updates to every affected Windows client and server build without delay.
- Block outbound SMB (TCP 445) and unauthenticated WebDAV traffic at the perimeter firewall to prevent hash exfiltration.
- Enforce SMB signing and Extended Protection for Authentication (EPA) across domain-joined systems to reduce relay risk.
- Identify systems that have not yet received the November 2024 cumulative update and prioritize remediation.
Patch Information
Microsoft released patches for all supported Windows versions in the November 2024 Patch Tuesday release. Administrators should consult the Microsoft Security Update Guide for CVE-2024-43451 for the specific KB articles applicable to each operating system build. Given the CISA KEV listing and the high EPSS probability, this update should be treated as a priority deployment across the estate.
Workarounds
- Restrict outbound NTLM authentication to remote servers using the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Group Policy setting.
- Disable the WebClient service on endpoints that do not require WebDAV functionality to prevent WebDAV-based hash leakage.
- Configure email and web gateways to strip or quarantine .url files and other internet shortcut formats from inbound traffic.
# Group Policy: Restrict outbound NTLM authentication
# Computer Configuration > Windows Settings > Security Settings >
# Local Policies > Security Options
# Policy: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers"
# Setting: Deny all
# Disable WebClient (WebDAV) service via PowerShell
Set-Service -Name WebClient -StartupType Disabled
Stop-Service -Name WebClient -Force
# Block outbound SMB to external destinations
New-NetFirewallRule -DisplayName "Block Outbound SMB 445" `
-Direction Outbound -Action Block `
-Protocol TCP -RemotePort 445 `
-RemoteAddress Internet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
