Security News > 2022 > May > Microsoft fixes new NTLM relay zero-day in all Windows versions

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that unauthenticated attackers can exploit remotely to force domain controllers to authenticate them via the Windows NT LAN Manager security protocol.

The vulnerability, tracked as CVE-2022-26925 and reported by Bertelsmann Printing Group's Raphael John, has been exploited in the wild and seems to be a new vector for the PetitPotam NTLM relay attack.

LockFile ransomware operators have abused the PetitPotam NTLM relay attack method to hijack Windows domains and deploy malicious payloads.

Microsoft advises Windows admins to check PetitPotam mitigations and mitigation measures against NTLM Relay Attacks on Active Directory Certificate Services for more info on protecting their systems from CVE-2022-26925 attacks.

Installing these updates also comes with downsides on systems running Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, as they will break backup software from some vendors.

CVE-2022-26925 impacts all Windows versions, including client and server platforms, starting from Windows 7 and Windows Server 2008 to Windows 11 and Windows 2022.

News URL

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-new-ntlm-relay-zero-day-in-all-windows-versions/