CVE-2025-21377

Q: What is the severity of CVE-2025-21377?

CVE-2025-21377 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers to spoof NTLM hash disclosure, potentially enabling credential theft and lateral movement. It affects systems using NTLM authentication, particularly Windows environments. Organizations relying on NTLM for authentication are at risk.

6.5 MEDIUM

📋 TL;DR

This vulnerability allows attackers to spoof NTLM hash disclosure, potentially enabling credential theft and lateral movement. It affects systems using NTLM authentication, particularly Windows environments. Organizations relying on NTLM for authentication are at risk.

💻 Affected Systems

Products:

Microsoft Windows
Systems using NTLM authentication

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows Server, Windows Client versions

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with NTLM authentication enabled are vulnerable. Kerberos-only environments may not be affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal NTLM hashes, perform pass-the-hash attacks, gain domain admin privileges, and compromise entire Active Directory environments.

🟠

Likely Case

Credential theft leading to lateral movement within networks, privilege escalation, and data exfiltration from compromised systems.

🟢

If Mitigated

Limited impact with proper network segmentation, NTLM restrictions, and monitoring in place.

🌐 Internet-Facing: MEDIUM - Requires NTLM authentication exposure to internet, which should be limited in modern environments.

🏢 Internal Only: HIGH - Most exploitation would occur within internal networks where NTLM is commonly used.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access and ability to intercept or manipulate NTLM authentication flows.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21377

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Disable NTLM Authentication

windows

Configure systems to use Kerberos authentication only where possible

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictSendingNTLMTraffic" -Value 2

Enable NTLM Auditing

windows

Monitor NTLM authentication attempts for suspicious activity

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

🧯 If You Can't Patch

Implement network segmentation to isolate systems using NTLM
Deploy additional authentication controls like multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check if NTLM authentication is enabled and systems are unpatched via Windows Update status

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history shows the relevant security update installed

📡 Detection & Monitoring

Log Indicators:

Unusual NTLM authentication patterns
Multiple failed NTLM attempts from single source
NTLM authentication from unexpected locations

Network Indicators:

Unusual NTLM traffic patterns
NTLM authentication to unexpected services
SMB or other protocol abuse for NTLM relay

SIEM Query:

source="windows-security" EventCode=4625 AuthenticationPackage=NTLM | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-21377

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 5.41% exploit probability (89.9th percentile)

Published: February 11, 2025

Last Updated: February 14, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21377 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTLM Authentication

Enable NTLM Auditing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities