CVE-2025-21377 Overview
CVE-2025-21377 is an NTLM Hash Disclosure Spoofing Vulnerability affecting a wide range of Microsoft Windows operating systems. This vulnerability enables attackers to potentially capture NTLM authentication hashes through network-based spoofing attacks, which can subsequently be used for credential relay attacks or offline password cracking.
Critical Impact
This vulnerability allows unauthorized disclosure of NTLM authentication hashes, potentially enabling attackers to impersonate users, perform pass-the-hash attacks, or crack passwords offline, compromising enterprise network security.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025
Discovery Timeline
- February 11, 2025 - CVE-2025-21377 published to NVD
- February 14, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21377
Vulnerability Analysis
This vulnerability is classified under CWE-73 (External Control of File Name or Path), indicating that improper handling of external input allows attackers to manipulate how the system processes authentication requests. The vulnerability can be exploited remotely over the network and requires user interaction to trigger, such as clicking a malicious link or opening a specially crafted file.
When exploited, attackers can force a victim's system to initiate NTLM authentication to an attacker-controlled server, thereby disclosing the victim's NTLMv2 hash. This hash can then be used in relay attacks against other services or subjected to offline brute-force attacks to recover the plaintext password.
Root Cause
The root cause of CVE-2025-21377 lies in improper validation of external file paths or network resources that trigger NTLM authentication. When Windows encounters certain file operations or network resource requests, it may automatically attempt to authenticate using the current user's NTLM credentials. The vulnerability allows attackers to craft inputs that force this authentication to occur against malicious servers, leaking the authentication hash.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker could exploit this vulnerability by:
- Hosting a malicious SMB server or web server configured to capture NTLM hashes
- Crafting a malicious link, document, or file that references a resource on the attacker's server
- Convincing a user to interact with the malicious content (clicking a link, opening a document, or browsing to a directory containing a malicious file)
- The victim's system automatically attempts NTLM authentication to the attacker's server
- The attacker captures the NTLMv2 hash for relay attacks or offline cracking
The attack does not require authentication on the victim's system, making it accessible to external attackers who can deliver malicious content through phishing or other social engineering techniques.
Detection Methods for CVE-2025-21377
Indicators of Compromise
- Unexpected outbound SMB connections (port 445) to external IP addresses
- Authentication attempts to unknown or suspicious servers in Windows Security Event logs (Event ID 4648)
- Unusual network traffic patterns showing NTLM authentication handshakes with non-corporate infrastructure
- Presence of suspicious .url, .lnk, or .scf files in user directories or email attachments
Detection Strategies
- Monitor outbound SMB traffic at the network perimeter for connections to external IP addresses, which may indicate credential exfiltration attempts
- Enable and review Windows Security logs for Event ID 4648 (explicit credential logon) and Event ID 4624 with NTLM authentication types
- Deploy endpoint detection rules to identify processes initiating unexpected outbound authentication requests
- Implement network-based intrusion detection signatures for NTLM authentication sequences to non-whitelisted destinations
Monitoring Recommendations
- Configure SIEM rules to alert on outbound NTLM authentication attempts to IP addresses outside corporate ranges
- Enable Windows Defender Credential Guard to protect NTLM credentials from being captured
- Monitor for creation or modification of file types commonly used in NTLM relay attacks (.url, .lnk, .scf, .library-ms)
- Review DNS queries and network flows for connections to known malicious infrastructure or suspicious external servers
How to Mitigate CVE-2025-21377
Immediate Actions Required
- Apply Microsoft's security updates released in February 2025 immediately to all affected Windows systems
- Block outbound SMB traffic (port 445) at the network perimeter if not required for business operations
- Enable Windows Defender Credential Guard on supported systems to protect authentication credentials
- Educate users about phishing risks and the dangers of opening unexpected files or clicking suspicious links
Patch Information
Microsoft has released security updates to address CVE-2025-21377 as part of the February 2025 Patch Tuesday release. Organizations should review the Microsoft Security Response Center advisory for specific patch KB numbers and deployment guidance for each affected Windows version.
Apply patches through Windows Update, Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager according to your organization's patch management procedures.
Workarounds
- Block outbound SMB traffic (TCP port 445) at the firewall to prevent NTLM hash disclosure to external servers
- Disable NTLM authentication where possible and migrate to Kerberos-only authentication
- Configure Windows Firewall to restrict outbound connections from processes that should not require external network access
- Implement network segmentation to limit the impact of credential compromise
# Block outbound SMB at Windows Firewall (PowerShell)
New-NetFirewallRule -DisplayName "Block Outbound SMB" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block -Profile Any
# Restrict NTLM via Group Policy (configure in gpedit.msc or GPO)
# Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# Set "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" to "Deny all"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
