Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2024-43451

Disclosure Date: November 12, 2024 •

CVE-2024-43451 CVSS v3 Base Score: 6.5

Exploited in the Wild

Reported by AttackerKB Worker and 1 more...
View Source Details

Description

NTLM Hash Disclosure Spoofing Vulnerability

Add Assessment

cbeek-r7 (192)

March 10, 2025 6:13pm UTC (1 day ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability categorized as a “spoofing” flaw that affects all supported Microsoft Windows versions, including Windows 10, Windows 11, and Windows Server editions.

The vulnerability stems from how Windows handles Internet Shortcut (.URL) files, exploiting a weakness in the outdated MSHTML (Internet Explorer) engine still present in the OS.

An attacker can craft a malicious .URL file pointing to a network path (UNC) hosted on an attacker-controlled server. When Windows Explorer or related components interact with this file, the system automatically attempts to retrieve remote resources over SMB, triggering an NTLM authentication handshake without requiring user approval.

Essentially, as soon as the file is engaged, Windows “calls out” to the attacker’s SMB server, sending the user’s NTLMv2 hash (hashed credentials) for authentication.

The vulnerability arises because seemingly harmless file interactions—such as previewing, moving, or right-clicking a .URL shortcut—cause the Windows shell to invoke the MSHTML/Explorer subsystem to fetch external content, such as an icon or target path.

Since the path can be a remote SMB share (file:// URI or UNC), Windows automatically performs NTLM authentication with that remote server, unknowingly leaking the NTLMv2 password hash to the attacker.

This flaw does not execute arbitrary code directly but compromises confidentiality by exposing credentials.

With the stolen hash, an attacker can impersonate the user on a network by performing a pass-the-hash attack, allowing them to authenticate without needing the user’s plaintext password.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.5 Medium

Impact Score:

3.6

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows Server 2025 10.0.26100.2314

Windows Server 2025 (Server Core installation) 10.0.26100.2314

Windows 10 Version 1809 10.0.17763.6532

Windows Server 2019 10.0.17763.6532

Windows Server 2019 (Server Core installation) 10.0.17763.6532

Windows Server 2022 10.0.20348.2849

Windows 10 Version 21H2 10.0.19044.5131

Windows 11 version 22H2 10.0.22621.4460

Windows 10 Version 22H2 10.0.19045.5131

Windows 11 version 22H3 10.0.22631.4460

Windows 11 Version 23H2 10.0.22631.4460

Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.1251

Windows 11 Version 24H2 10.0.26100.2314

Windows 10 Version 1507 10.0.10240.20826

Windows 10 Version 1607 10.0.14393.7515

Windows Server 2016 10.0.14393.7515

Windows Server 2016 (Server Core installation) 10.0.14393.7515

Windows Server 2008 Service Pack 2 6.0.6003.22966

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.22966

Windows Server 2008 Service Pack 2 6.0.6003.22966

Windows Server 2008 R2 Service Pack 1 6.1.7601.27415

Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.27415

Windows Server 2012 R2 6.3.9600.22267

Windows Server 2012 R2 (Server Core installation) 6.3.9600.22267

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

Weaknesses

CWE-73

Exploited in the Wild

Reported by:

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/11/12/cisa-adds-five-known-exploited-vulnerabilities-catalog)

Reported: November 13, 2024 8:11am UTC (3 months ago)

cbeek-r7 indicated source as Government or Industry Alert (https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/)

Reported: March 10, 2025 3:49pm UTC (1 day ago)

References

Canonical

CVE-2024-43451 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43451)

Miscellaneous

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451

https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/

Rapid7

Very High

CVE-2024-43451

Very High

Very High

Required

None

Network

CVE-2024-43451

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification