Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Researchers Find Exploit Allowing NTLMv1 Despite Active Directory Restrictions

The Hacker News by The Hacker News
January 17, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jan 16, 2025Ravie LakshmananActive Directory / Vulnerability

Cybersecurity researchers have found that the Microsoft Active Directory Group Policy that’s designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration.

“A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications,” Silverfort researcher Dor Segal said in a report shared with The Hacker News.

NTLM is a still widely used mechanism particularly in Windows environments to authenticate users across a network. The legacy protocol, while not removed due to backward compatibility requirements, has been deprecated as of mid 2024.

Cybersecurity

Late last year, Microsoft officially removed NTLMv1 starting in Windows 11, version 24H2, and Windows Server 2025. While NTLMv2 introduces new mitigations to make it harder to perform relay attacks, the technology has been besieged by several security weaknesses that have been actively exploited by threat actors to access sensitive data.

In exploiting these flaws, the idea is to coerce a victim to authenticate to an arbitrary endpoint, or relay the authentication information against a susceptible target and perform malicious actions on behalf of the victim.

“The Group Policy mechanism is Microsoft’s solution to disable NTLMv1 across the network,” Segal explained. “The LMCompatibilityLevel registry key prevents the Domain Controllers from evaluating NTLMv1 messages and returns a wrong password error (0xC000006A) when authenticating with NTLMv1.”

However, Silverfort’s investigation found that it’s possible to circumvent the Group Policy and still use NTLMv1 authentication by taking advantage of a setting in the Netlogon Remote Protocol (MS-NRPC).

Specifically, it leverages a data structure called NETLOGON_LOGON_IDENTITY_INFO, which contains a field named ParameterControl that, in turn, has a configuration to “Allow NTLMv1 authentication (MS-NLMP) when only NTLMv2 (NTLM) is allowed.”

“This research shows on-prem applications can be configured to enable NTLMv1, negating the Highest Level of the Group Policy LAN Manager authentication level set in Active Directory,” Segal said.

Cybersecurity

“Meaning, organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application.”

To mitigate the risk posed by NTLMv1, it’s essential to enable audit logs for all NTLM authentication in the domain and keep an eye out for vulnerable applications that request clients to use NTLMv1 messages. It also goes without saying that organizations are recommended to keep their systems up-to-date.

The latest findings follow a report from security researcher Haifei Li about a “zero-day behavior” in PDF artifacts uncovered in the wild that could leak local net-NTLM information when they are opened with Adobe Reader or Foxit PDF Reader under certain conditions. Foxit Software has addressed the issue with version 2024.4 for Windows.

The disclosure also comes as HN Security researcher Alessandro Iandoli detailed how various security features in Windows 11 (prior to version 24H2) could be bypassed to achieve arbitrary code execution at the kernel level.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits

New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits

Recommended.

5 Things To Know On The SafePay Ransomware Group

5 Things To Know On The SafePay Ransomware Group

July 7, 2025
China-Based Threat Actor Involved In Microsoft SharePoint Attacks: Mandiant CTO

China-Based Threat Actor Involved In Microsoft SharePoint Attacks: Mandiant CTO

July 22, 2025

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio