CVE-2025-21311
📋 TL;DR
This vulnerability allows attackers to exploit weaknesses in Windows NTLM v1 authentication to gain elevated privileges on affected systems. Attackers could potentially execute arbitrary code with SYSTEM-level permissions. All Windows systems using NTLM v1 authentication are affected.
💻 Affected Systems
- Windows operating systems
📦 What is this software?
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling lateral movement across the network, data exfiltration, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain administrative access to compromised systems, install malware, and access sensitive data.
If Mitigated
Limited impact if NTLM v1 is disabled and proper network segmentation is in place, though legacy systems may remain vulnerable.
🎯 Exploit Status
Exploitation requires local access or ability to intercept NTLM authentication traffic. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in January 2025 (KB5034441 for Windows 10, KB5034440 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21311
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Microsoft Update Catalog. 2. Install the update using Windows Update or manual installation. 3. Restart the system when prompted.
🔧 Temporary Workarounds
Disable NTLM v1
windowsDisable NTLM v1 authentication to prevent exploitation of this vulnerability
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
Enable NTLM auditing
windowsEnable auditing for NTLM authentication events to detect potential exploitation attempts
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
🧯 If You Can't Patch
- Disable NTLM v1 authentication via Group Policy or registry settings
- Implement network segmentation to isolate vulnerable systems and restrict NTLM traffic
🔍 How to Verify
Check if Vulnerable:
Check if NTLM v1 is enabled by examining registry key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel (values 0-2 indicate NTLM v1 may be enabled)Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify security update KB5034441 (or equivalent) is installed via 'systeminfo' command or Windows Update history📡 Detection & Monitoring
Log Indicators:
- Event ID 4624 with NTLM v1 authentication
- Event ID 4648 with NTLM authentication type 1
- Unexpected privilege escalation events
Network Indicators:
- NTLM v1 authentication traffic on port 445
- Unusual NTLM authentication patterns from unexpected sources
SIEM Query:
source="windows" event_id=4624 authentication_package="NTLM" AND lm_package="NTLM V1"