CVE-2024-43451

What is NTLMv2 Hash Disclosure?

NTLM (NT LAN Manager) is a Windows authentication protocol that uses challenge-response hashing. When a Windows system attempts to authenticate to a remote server, it sends an NTLMv2 hash — a cryptographic response derived from the user's password — as part of the challenge-response handshake. An attacker who can capture an NTLMv2 hash can attempt to crack it offline (revealing the plaintext password) or use it directly in an NTLM relay attack (relaying the hash to authenticate to another service as the victim user). NTLMv2 hash capture and relay are long-established Windows attack techniques; vulnerabilities that trigger automatic NTLM authentication to attacker-controlled servers are particularly dangerous because they can be triggered without the victim taking obvious action.

Overview

CVE-2024-43451 is a zero-day NTLMv2 hash disclosure vulnerability that allows an attacker to capture a victim's NTLMv2 authentication hash through minimal file system interaction — including hovering over a file, right-clicking it, or deleting it in Windows Explorer — without the victim needing to open or execute the file. Microsoft and CISA simultaneously disclosed and patched it on November 12, 2024 (November Patch Tuesday), confirming active exploitation. The vulnerability was discovered by Israel Yeshurun of ClearSky Cyber Security.

Affected Versions

Technical Details

CWE-73 (External Control of File Name or Path). The vulnerability involves how Windows Explorer handles certain file types — specifically files that, when interacted with by the shell (even minimally, such as hover or right-click), trigger Windows to initiate an NTLM authentication connection to an attacker-controlled remote server. The malicious file contains a reference to a UNC path (\\attacker-server\share) that Windows automatically attempts to resolve using the current user's NTLM credentials. This causes Windows to send the user's NTLMv2 hash to the attacker's server during normal file browsing — without any explicit user action beyond viewing the file in Explorer.

The captured NTLMv2 hash can then be used for:

• Offline cracking: Run hashcat or John the Ripper against the hash to recover the plaintext password
• NTLM relay: Forward the hash to authenticate to other services (SMB shares, Exchange, internal APIs) as the victim user — particularly effective if the victim is a domain administrator

Discovery

Discovered by Israel Yeshurun / ClearSky Cyber Security and reported to Microsoft. ClearSky is an Israeli threat intelligence firm known for tracking Iranian, Russian, and North Korean threat actors targeting government and defense organizations. The same-day KEV addition confirms the vulnerability was being actively exploited before the patch was available.

Exploitation Context

NTLMv2 hash disclosure vulnerabilities are a staple of credential theft campaigns against enterprise environments because they can be triggered by simply emailing a malicious file or placing it on a shared network drive — the victim doesn't need to open it, just browse the directory containing it. The captured hash enables either password recovery or direct authentication, giving the attacker the same access as the victim user. For domain administrator victims, this can immediately escalate to full domain compromise via NTLM relay to a domain controller.

Remediation

1. Apply the November 2024 Windows security updates (Patch Tuesday, November 12, 2024) to all affected systems.
2. Disable NTLM authentication where possible via Group Policy — modern environments can often operate using Kerberos exclusively; audit NTLM usage before disabling.
3. Enable Extended Protection for Authentication (EPA) and SMB signing to mitigate NTLM relay attacks even if hashes are captured.
4. Deploy network monitoring to alert on NTLM authentication attempts to external or unexpected destinations — legitimate NTLM authentication should stay within the corporate network.
5. Block outbound SMB (port 445) and WebDAV (port 80/443 for DAV) connections at the perimeter firewall to prevent NTLM hash leakage to external attacker-controlled servers.