CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-43451

High Severity
Microsoft
SVRS
46/100
CVSSv3
6.5/10
EPSS
0.90683/1

CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability allows attackers to potentially spoof communications and steal NTLM hashes. This vulnerability arises from improper handling of NTLM authentication processes, leading to possible information disclosure. Despite a CVSS score of 6.5, the SOCRadar Vulnerability Risk Score (SVRS) is 46, indicating a moderate risk, though active exploits are available and it's listed in the CISA KEV catalog, raising concerns. Attackers could leverage this flaw to impersonate legitimate users or services, compromising the security of systems relying on NTLM for authentication. The availability of active exploits amplifies the threat, necessitating prompt security measures. While the SVRS isn't critical (above 80), the "In The Wild" tag suggests active exploitation, warranting monitoring and patching to mitigate potential risks. Organizations should review and apply vendor advisories to secure NTLM authentication mechanisms.

TAGS
CISA KEV
In The Wild
Exploit Avaliable
Vendor-advisory
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:R
S:U
C:H
I:N
A:N
E:F
RL:O
RC:C
PUBLICATION DATE2024-11-12
LAST MODIFIED2025-01-30
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-43451 is a NTLM Hash Disclosure Spoofing Vulnerability that allows attackers to potentially gain access to sensitive credentials by tricking systems into disclosing NTLM hashes. This vulnerability is categorized as a moderate risk according to the CVSS score (6.5), but SOCRadar's SVRS assigns a score of 40, highlighting the potential for exploitation. While the SVRS score is lower than 80, the 'In The Wild' tag indicates the vulnerability is actively being exploited by hackers. This means it is highly important to take immediate action to mitigate this risk.

Key Insights

  • Active Exploits: This CVE is actively being exploited in the wild, meaning attackers are using publicly available tools and methods to compromise systems.
  • NTLM Hash Disclosure: The vulnerability allows attackers to potentially obtain NTLM hashes from vulnerable systems. These hashes can then be cracked, potentially leading to unauthorized access to the systems or other sensitive information.
  • CISA Warning: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a KEV warning, urging organizations to address the vulnerability promptly.
  • Wide Applicability: This vulnerability affects a wide range of systems and software that utilize NTLM authentication, making it a potentially widespread threat.

Mitigation Strategies

  • Disable NTLM Authentication: If possible, completely disable NTLM authentication on your network and systems. Use modern authentication protocols such as Kerberos or OAuth 2.0 whenever feasible.
  • Implement Strong Passwords: Enforce strong password policies with length, complexity, and regular rotation requirements.
  • Network Segmentation: Implement network segmentation to limit the impact of a potential breach. This will help prevent attackers from spreading laterally across your network.
  • Multi-Factor Authentication (MFA): Deploy multi-factor authentication (MFA) to enhance account security. This adds an extra layer of protection, making it harder for attackers to gain access to accounts even if they obtain NTLM hashes.

Additional Information

If you have any additional questions or require further information regarding this incident, please use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket.

Indicators of Compromise

TypeIndicatorDate
HASH
16b605009baf2002cdab88ca597f22ee2025-03-11
HASH
21d52d07f0f04e0934011978a85e6a152025-03-11
HASH
35382198a1419bbc2eee2e193cc43c5d2025-03-11
HASH
60c3dbbdb7ebac0c1c4c9cf1f05b87ef2025-03-11
HASH
65458b9921380297e2ef212515f269482025-03-11
HASH
6777fcdc79250d08a24cd5919953b20d2025-03-11
HASH
854c8933557334cb2f0e5dbe8ede11cb2025-03-11

Exploits

TitleSoftware LinkDate
Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-434512024-11-12
RonF98/CVE-2024-43451-POChttps://github.com/RonF98/CVE-2024-43451-POC2025-01-20
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild
ClearSky Research Team2025-04-01
CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild | A new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities. The vulnerability activates URL files containing malicious code through seemingly innocuous actions: The malicious URL files were disguised as academic certificates and were initially observed being […]A new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects
clearskysec.com
rss
forum
news
Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)
Mitja Kolsek ([email protected])2025-04-01
Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451) |   November 2024 Windows updates brought a fix for CVE-2024-43451
blogspot.com
rss
forum
news
17th March – Threat Intelligence Report
[email protected]2025-03-17
17th March – Threat Intelligence Report | For the latest discoveries in cyber research for the week of 17th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Check Point Research elaborates about the pro-Palestinian hacktivist group “Dark Storm” which claimed the large-scale DDoS attack against X (formerly Twitter). The attack disrupted access to the platform, causing outages for users […] The post 17th March – Threat Intelligence Report appeared first on Check Point
checkpoint.com
rss
forum
news
Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks
Ajit Jasrotia2025-03-11
Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks | The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024. “The monitored campaigns targeted Colombian judicial institutions and other government or private organizations, with high infection rates,” Check Point said in a new analysis. “More than 1,600 victims were affected […] The post Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs
allhackernews.com
rss
forum
news
CVE-2024-43451 | Microsoft Windows up to Server 2025 NTLM Hash file inclusion
vuldb.com2025-02-27
CVE-2024-43451 | Microsoft Windows up to Server 2025 NTLM Hash file inclusion | A vulnerability was found in Microsoft Windows and classified as problematic. Affected by this issue is some unknown functionality of the component NTLM Hash Handler. The manipulation leads to file inclusion. This vulnerability is handled as CVE-2024-43451. The attack may be launched remotely. Furthermore, there is an exploit available
vuldb.com
rss
forum
news
Exploits and vulnerabilities in Q4 2024
Alexander Kolesnikov2025-02-26
Exploits and vulnerabilities in Q4 2024 | This report provides statistics on vulnerabilities and exploits and discusses the most frequently exploited vulnerabilities in Q4 2024.Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4
securelist.com
rss
forum
news
Week in review: Microsoft patches actively exploited 0-days, Amazon and HSBC employee data leaked - Help Net Security
2024-11-17
Week in review: Microsoft patches actively exploited 0-days, Amazon and HSBC employee data leaked - Help Net Security | News Content: Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers. Massive troves of Amazon, HSBC employee data leaked A threat actor who goes by the online
google.com
rss
forum
news

Social Media

Blind Eagle strikes Colombian 🇨🇴 institutions with 1,600+ infections. APT-C-36 exploited CVE-2024-43451 + social engineering to deliver RATs like Remcos despite patches being available. #CyberSecurity #APT #CVE #latam https://t.co/cbvYqOG7fB
0
0
0
Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451) https://t.co/HgyIcVmQSN #cyber #threathunting #infosec
0
0
2
@PoliciaColombia @sicsuper @CGR_Colombia @ADR_Colombia @DIANColombia En mi opinión esto es extremadamente grave. TODAS LAS PERSONAS E INSTITUCIONES EN COLOMBIA DEBEN SABER QUÉ ESTO ESTA PASANDO. Deben identificar cómo sucede este ataque y deben actualizar Windows para evitar la Explotación de CVE-2024-43451.
1
1
1
Actively exploited CVE : CVE-2024-43451
1
0
0
@_CPResearch_ CVE-2024-43451 was found and reported by ClearSky cyber security not CERT UA. Please change your research. https://t.co/uvjYx1U4vH
0
0
0
#ThreatProtection #BlindEagle #APT-C-36 #CVE-2024-43451, read more about Symantec's protection: https://t.co/WYdQiJQr0w #malware
0
0
0
🚨 Blind Eagle strikes again—over 1,600 victims in Colombia since Nov 2024! 🇨🇴 Government & private orgs targeted using spear-phishing & new malware like Remcos RAT. CVE-2024-43451 exploit hits 6 days after patch. See it: https://t.co/fjAnOqxpGF
0
0
1
🚨 Blind Eagle, a cyber threat actor targeting Colombian institutions, exploited a Microsoft flaw (CVE-2024-43451) and used HeartCrypt to distribute malware via GitHub. Over 1,600 victims were impacted, including sensitive data leaks. Read about the... https://t.co/XHtqpmGtQk
0
0
0
🚨 Blind Eagle APT is targeting Colombian institutions with .url malware mimicking CVE-2024-43451 behavior! Over 1,600 victims in one campaign alone. Operation Fail also exposed past phishing activities, stealing 8K+ PII. #CyberSecurity #APT #BlindEagle https://t.co/Q3YsXhCfFX
0
0
0
🚨 Blind Eagle APT is targeting Colombian institutions with .url malware mimicking CVE-2024-43451 behavior! Over 1,600 victims in one campaign alone. Operation Fail also exposed past phishing activities, stealing 8K+ PII. #CyberSecurity #APT #BlindEagle https://t.co/UxUhh5tMUC
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSMicrosoftwindows_10_1607
OSMicrosoftwindows_10_1507
OSMicrosoftwindows_10_22h2
OSMicrosoftwindows_11_22h2
OSMicrosoftwindows_server_2022
OSMicrosoftwindows_10_1809
OSMicrosoftwindows_10_21h2
OSMicrosoftwindows_11_23h2
OSMicrosoftwindows_server_2022_23h2
OSMicrosoftwindows_server_2016
OSMicrosoftwindows_server_2012
OSMicrosoftwindows_server_2019
OSMicrosoftwindows_server_2008

References

ReferenceLink
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451
NTLM HASH DISCLOSURE SPOOFING VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451

CWE Details

CWE IDCWE NameDescription
CWE-73External Control of File Name or PathThe software allows user input to control or influence paths or file names that are used in filesystem operations.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence