About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has […]

**About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability.** The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just **extracting a ZIP/RAR archive** with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing. 😱

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

Thorsten picks apart some headlines, highlights Talos’ report on an unknown attacker predominantly targeting Japan, and asks, “Where is the victim, and does it matter?”

Thursday, March 13, 2025 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Let's pick up where we left off in my last newsletter. Please mark your calendars: The free support for Windows 10 will end on October 14, 2025.

When a software loses vendor support, it no longer receives patches or updates. As highlighted in my previous newsletter, the top method for initial access in the last quarter of 2024 was exploiting vulnerabilities in public-facing applications. While Windows 10 isn't typically (or shouldn't be) a public-facing application, unpatched client systems become prime targets for bad actors as they progress through the stages of an attack: Execution, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement.

In last week’s newsletter, my colleague Martin asked, "Who is responsible, and does it matter?" As a thought exercise, let's flip the script and ask, "Where is the victim, and does it matter?" I often field questions about threats specific to countries, regions, or continents, but the reality is that software is largely the same regardless of physical location. Yes, there are different language packs, and yes, spam and phishing campaigns may use local languages. However, when it comes to software, operating systems, libraries, and drivers, we share code globally.

Remember Log4j and NotPetya? These vulnerabilities caused chaos around the globe. Both have CVEs listed in the Known Exploited Vulnerabilities (KEV) catalog, which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

While researching the KEVs added in 2024, I discovered CVEs dating back to 2012, 2013, and 2014. This underscores that regardless of location, old vulnerabilities can remain relevant and dangerous years after their discovery.

Fast forward to 2025: CVE-2025-22224 was published on Mar. 4, 2025 and added to CISA's KEV Catalog less than two hours later. A week later, over 40,000 vulnerable instances were still detected globally, as shown on the Shadowserver dashboard:

Rather than solely focusing on geography, the global vulnerability landscape suggests we should ask ourselves:

·       "Am I running this software?"  
·       “Is my software up to date?"  
·       "How quickly can I fix it?"  
·       Or, for the brave, "Am I prepared to take the risk?"

While more attributes for CVEs may be beneficial, I personally believe the absence of a geographic attribute is a good thing. Patching and updating software should be prioritized regardless of nationality or geographic context. When it comes to maintaining robust cybersecurity, the only good vulnerability is no vulnerability.

Remember: In the digital world, we're all neighbors. A vulnerability anywhere is a threat just around the corner.

**The one big thing**

Cisco Talos discovered malicious activities conducted by an unknown attacker as early as January 2025, predominantly targeting organizations in Japan. The attacker exploited a vulnerability, CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.

**Why do I care?**

We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response report for Q4 2024, and this intrusion highlights this ongoing activity. In this case, the attacker establishes persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”

**So now what?**

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see the National Vulnerability Database. Here are the Snort SIDs for this threat:

·       Snort 2: 64632, 64633, 64630, 64631  
·       Snort 3: 301157, 301156

**Top security headlines of the week**

· **The Bluetooth “backdoor” that wasn’t.** The original title, “Undocumented backdoor found in Bluetooth chip used by a billion devices,” was updated to a more precise description: “Undocumented commands found in Bluetooth chip used by a billion devices.” (Bleepingcomputer) (Darkmentor)

· **A ransomware gang leveraged a vulnerable IP camera in an attack, effectively circumventing Endpoint Detection and Response (EDR).** The “Mr. Monk” in me wants to point out that while the article title says “webcam” — which, in my definition, is a camera connected internally or via USB to a PC — the article discusses Linux and SMB shares, which suggests it is an IP camera.  (Bleepingcomputer)

· **Massive alleged cyber attack against X (formerly Twitter).** This past Monday, a series of outages left X unavailable for thousands of users for at least one hour. Not all details are currently known to the public. (Securityweek)

**Can’t get enough Talos?**

  
Cascading Style Sheets (CSS) are ever present in modern day web browsing, however it's far from their own use. Read our latest blog on Abusing with style: Leveraging cascading style sheets for evasion and tracking.

Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. Read the full blog here: Unmasking the new persistent attacks on Japan

**Upcoming events where you can find Talos**

· DEVCORE (March 15, 2025) Taipei, Taiwan. Ashley Shen will give a talk on exploit hunting.  
· RSA (April 28-May 1, 2025)  San Francisco, CA  
· PIVOTcon (May 7-May 9, 2025) Malaga, Spain. Ashley Shen and Vitor Ventura will present "Redefining IABs: Impacts of Compartmentalization on Threat Tracking & Modeling."  
· CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
· Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
MD5: 7abf12ab98f4cbed63228bba977cea7e  
VirusTotal:  https://www.virustotal.com/gui/file/9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
Typical Filename: pdfzonepro.msi  
Claimed Product: N/A  
Detection Name: W32.9C60480AFB-95.SBX.TG

 SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

Patch it up: Old vulnerabilities are everyone’s problems

Blockchain technology is revolutionizing industries by enabling secure transactions, decentralization, and transparency. At the same time, Blockchain software…

Blockchain technology is revolutionizing industries by enabling secure transactions, decentralization, and transparency. At the same time, Blockchain software development services are increasingly sought after by businesses looking to adopt cutting-edge solutions for various use cases such as:

1.  Blockchain solutions for enterprises
2.  Startups and innovators in the blockchain space
3.  Small and medium businesses adopting blockchain

From enhancing supply chain management to implementing smart contracts, companies across different sectors are leveraging blockchain development services to improve their operations.

**Blockchain solutions for enterprises**

Large enterprises are turning to blockchain software development to improve enterprise blockchain development and optimize their existing infrastructure. The integration of blockchain platforms and blockchain networks allows businesses to streamline supply chain management, enhance security, and create custom blockchain solutions.

For enterprises, blockchain technology offers the opportunity to modernize processes, reduce fraud, and improve transparency across the entire blockchain ecosystem. Companies with significant data and transaction volumes can benefit from secure blockchain infrastructure and blockchain consulting services to ensure the smooth implementation of their blockchain projects.

According to 10clouds, a blockchain software development services provider, many companies are turning to blockchain developers to create customised yet secure solutions that improve transaction transparency and operational efficiency.

****Small and medium businesses adopting blockchain****

In addition to large corporations, small and medium-sized businesses (SMBs) are increasingly adopting custom blockchain development services to stay competitive in their respective industries. These businesses are often looking for blockchain application development services that are cost-effective and tailored to their specific needs.

By leveraging blockchain technology, SMBs can provide secure transactions, improve digital asset management, and build decentralized applications (dApps) for better customer engagement. Blockchain app development companies help these businesses achieve their business objectives by implementing blockchain solutions that improve operational efficiency and enhance their customer experience.

****Startups and innovators in the blockchain space****

Startups and companies in the tech space are leading the charge in blockchain app development. These organizations are looking for blockchain software development companies with expertise in building innovative products such as decentralized applications and smart contracts.

By working with the right blockchain development company, these startups can create cutting-edge blockchain solutions that set them apart from the competition. Whether it’s blockchain integration, custom blockchain app development, or blockchain consulting, these companies rely on blockchain developers to bring their ideas to life and scale in the growing blockchain space.

Image by Gerd Altmann from Pixabay

Why Small and Medium Businesses Are Adopting Blockchain Solutions

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update…

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update firmware now!

Rapid7 researchers uncovered security weaknesses in Xerox Versalink C7025 multifunction printers, specifically models running firmware version 57.69.91 and earlier. These vulnerabilities designated CVE-2024-12510 and CVE-2024-12511, expose the devices to “pass-back” attacks.

According to Rapid7’s research shared with Hackread.com, these are a type of attacks that allow a malicious actor who has compromised the printer’s administrative functions to redirect authentication requests to a system under their control. This can be achieved by altering settings related to services like Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB), and File Transfer Protocol (FTP).

The LDAP vulnerability allows an attacker to modify the LDAP server’s IP address within the printer’s configuration. By then triggering an LDAP lookup, the printer unwittingly sends authentication credentials to the attacker’s rogue server. The attacker can then capture these credentials in clear text. Similarly, the SMB/FTP vulnerability allows modification of the SMB or FTP server’s IP address in the user’s address book configuration.  

The image illustrates how an attacker might manipulate the server IP address to redirect authentication attempts to a rogue server, thereby stealing the credentials. Predefined login credentials, with the username “MFPservice,” are used for authentication.

While the password itself is obscured, its presence indicates that the printer is configured to authenticate to the LDAP server, a detail central to the pass-back vulnerability where these credentials could be captured by an attacker.

Source: Rapid7

This can be exploited by triggering a scan-to-file operation, which sends authentication credentials to the attacker-controlled server. In the case of SMB, this could expose NetNTLMV2 handshakes, potentially allowing further compromise of Active Directory file servers. For FTP, credentials would be transmitted in clear text.

Successful exploitation of these vulnerabilities requires either administrative access to the printer’s settings or, in some cases, physical access to the console or remote access via the web interface if user-level remote control is enabled. 

The impact of these vulnerabilities is significant, as attackers could potentially gain access to sensitive credentials, including those for Windows Active Directory. This could enable lateral movement within a network, compromising critical servers and systems.

Rapid7 responsibly disclosed these vulnerabilities to Xerox, coordinating the disclosure timeline and working with the vendor to confirm the effectiveness of the patches. Organizations using affected Xerox Versalink printers should immediately upgrade to the latest patched firmware version.

In case immediate patching is not feasible, it is recommended to set a strong and unique password for the printer’s administrative account, avoid the use of domain administrator accounts for LDAP or scan-to-file services, and disable remote console access for unauthenticated users.

Xerox Versalink Printers Vulnerabilities Could Let Hackers Steal Credentials

Attackers are using patched bugs to potentially gain unfettered access to an organization's Windows environment under certain conditions.

Soure: T. Schneider via Shutterstock

A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment.

The vulnerabilities affect firmware version 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable what are known as pass-back attacks, a class of attacks that essentially allow a bad actor to capture user credentials by manipulating the MFPs' configuration.

**Complete Access to Windows Environments**

In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post.

Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. Xerox has positioned its VersaLink family of printers as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability.

The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. When the printer next tries to authenticate users by checking the LDAP User Mappings page, it connects to the attacker's fake LDAP server instead of the legitimate corporate LDAP server. This paves the way for the attacker to capture clear text LDAP service credentials, Heiland wrote.

CVE-2024-12511 allows similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server's IP address to their own malicious IP and capture SMM or FTP authentication credentials.

All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. "Also, it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured."

The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. That would then allow them to pivot to more critical Windows systems within a compromised environment. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment.

"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. "If a Domain Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered access to potentially everything within the organization's Windows environment."

**An Ideal Scenario for Threat Actors**

Jim Routh, chief trust officer at Saviynt, says an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside. "It's the ideal scenario for the threat actor," he notes. Every device connected to the Internet has configuration options that offer … an attack surface for the cybercriminal."

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, allowing customer organizations to update and fix the issues. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Also, organizations should avoid enabling the remote-control console for unauthenticated users."

Printer vulnerabilities are a growing problem for many organizations because of the rise in remote and hybrid work models. A 2024 study by Quocirca found 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite the trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Xerox Printer Vulnerabilities Enable Credential Capture

Security vulnerabilities have been disclosed in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.
"This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP's configuration and cause the MFP

New Xerox Printer Flaws Could Let Attackers Capture Windows Active Directory Credentials

Web shops are an attractive target. How can SMBs keep theirs safe?

An online shop is more than just another way to sell your products. It comes with a responsibility to keep the web shop secure.

Cybercriminals are looking to steal your customers’ credit card details, their personal data, and even your revenue.

And it’s not as if using a platform that is used by major retailers makes it safe. Platforms like Shopify, Wix, and Magento are always under scrutiny of cybercriminals that are looking for a vulnerability that allows them to insert skimmers or get access to your database.

Let’s look at some examples to demonstrate my point.

A cybercriminal specializing in breaching Shopify stores is posting huge data sets as free downloads. Using the monicker ShopifyGUY, which implies they specialize in Shopify sites, the cybercriminal posted a few datasets containing millions of customer records.

boAt Lifestyle data free download

For example, boAt is reportedly Indian’s most active company that markets audio-focused electronic gadgets. ShopifyGUY dumped files of a data breach with access to PII information of boAt customers, which has 7,550,000 entries.

Piping Rock data for download

ShopifyGUY also uploaded the Piping Rock database containing 2.1million email addresses from the online health products store Piping Rock.

We found several Magento-based web shops that had skimmers injected into their code busy stealing credit card information. One of them even infected visitors with the SocGolish malware, a sophisticated JavaScript malware framework that has been actively used by cybercriminals since at least 2017. It tricks users into running a script supposedly meant to update their browser. What it actually does is infect the machine and send the details back to a human operator, who can decide how best to monetize it. Lately, SocGholish has been found to install information stealers on both Windows and Mac machines.

The most common attacks web shop owners need to worry about are:

*   Credential phishing where the criminals try to steal your login credentials.
*   Malware injection where the criminals inject malicious code into your web shop by abusing a vulnerability in the platform itself or a plug-in.
*   Brute force attacks, where the criminals try a whole bunch of passwords they obtained from other breaches.

So, to keep your web shop safe you should:

*   Be extra vigilant when it comes to phishing attempts.
*   Keep your software up to date.
*   Protect the device(s) you use to login with an active anti-malware solution.
*   Make it harder to log in by using multi-factor authentication (MFA) and by not re-using passwords.
*   Regularly check your web site for additional code, especially the payment section.
*   If you run the web shop on your own server, use web application firewalls (WAF) to detect and block malicious traffic.
*   Do not store customer details that you no longer need.

Your customers will probably not thank you for your efforts, but they will come complaining if you spill their data.

For readers that would like to check whether their credentials are included in one of the data breaches, Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Small business owners, secure your web shop 

While Microsoft has boosted the security of Windows Print Spooler in the three years since the disclosure of the PrintNightmare vulnerability, the service remains a spooky threat that organizations cannot afford to ignore.

The 2021 PrintNightmare vulnerability exposed multiple deep-rooted security flaws in Microsoft's Print Spooler service, a core Windows component. The flaws, which had persisted in the Print Spooler for years, forced Microsoft to change the default behavior of the service and organizations to change how they enabled printing services for users. While Microsoft's changes have overall improved Print Spooler's security, researchers caution that the service remains a prime target for attackers. The potential weaknesses resulting from Microsoft's efforts to maintain backward compatibility with legacy code leaves Print Spooler vulnerable.

**A Critical Security Weakness**

PrintNightmare gave attackers a way to gain system-level privileges on affected systems, which included everything from domain controllers and Active Directory systems to lower-end servers and client systems. The flaw (CVE-2021-34527) stemmed from the Windows Print Spooler service improperly handling printer driver installations, allowing attackers to run arbitrary code, download malware, create new user accounts, or view, change, and delete data on affected systems.

The vulnerability arose from the service's failure to properly validate permissions for installing printer drivers, combined with its capability to accept remote connections via the Remote Procedure Call (RPC) protocol. This allowed attackers to remotely install malicious drivers and execute arbitrary code with elevated privileges, even from minimally privileged accounts. Researchers estimated that over 90% of Print Spooler environments at the time were impacted by PrintNightmare. The sheer scope of the threat prompted urgent calls from Microsoft, the US Cybersecurity and Infrastructure Security Agency (CISA), and others to apply immediate remediation measures.

"In the years following PrintNightmare, there have been exploits that have taken advantage of the remote aspect of the Print Spooler service," says Ben McCarthy, lead cyber security engineer at Immersive Labs.

There are a number of reasons why this is the case, he says, including the fact that the service is remotely accessible and allows for lateral movement.

"Furthermore, when large vulnerabilities are released, like PrintNightmare, it tips off hackers around the world that there may be more vulnerabilities in that component of Windows," McCarthy says. He also points to a report by researchers from China that described the internals of how Print Spooler worked as likely contributing to the discovery of multiple vulnerabilities in the service following the disclosure of PrintNightmare.

**Unprecedented Attention on Print Spooler Weaknesses**

The PrintNightmare vulnerability focused near unprecedented attention on the security of Microsoft's notoriously buggy Print Spooler service.

In the weeks and months following the disclosures, security researchers — many of them from Microsoft itself — uncovered as many as 11 Print Spooler vulnerabilities in 2021 alone. The first of these post-PrintNightmare Print Spooler vulnerabilities was CVE-2021-34481, a remote code execution vulnerability that Microsoft patched on July 15, 2021. The bug was publicly disclosed before Microsoft had a fix for it, but it did not end up getting exploited.

Like PrintNightmare, CVE-2021-34481 stemmed from the Windows Print Spooler service improperly handling printer driver installations, allowing attackers to load malicious drivers with system-level privileges. The flaw — and PrintNightmare before it — prompted Microsoft to change the default behavior of Point and Print, a Windows feature that lets users connect to network printers and automatically download and install the required printer drivers. Microsoft changed the default behavior to ensure that only users with administrative privileges could install new printers or update existing printer drivers.

The other Print Spooler related flaws discovered in 2021 were CVE-2021-34483, CVE-2021-36936, CVE-2021-36947, CVE-2021-36958, CVE-2021-36970, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447, CVE-2021-1675, and CVE-2021-41332.

In total, Microsoft has disclosed some 53 Print Spooler related vulnerabilities since PrintNightmare was disclosed in 2021, says Satnam Narang, senior staff research engineer at Tenable. In addition to the 11 in 2021, Microsoft disclosed 35 in 2022, four in 2023, and three more in 2024. The three disclosed in 2024 were CVE-2024-21433, CVE-2024-38198, and CVE-2024-43529.

"Per the CISA Known Exploited Vulnerabilities \[KEV\] catalog, there were four Print Spooler vulnerabilities exploited in the wild," Narang says. All were from 2022:  CVE-2022-38028, CVE-2022-41073, CVE-2022-22718, and CVE-2022-21999.

Nearly half (45%) of these were disclosed by internal teams at Microsoft.

"It’s likely that this proactive, offensive approach led to the mitigation of many of the pathways to exploitation because we saw a steep decline in the number of reported Print Spooler vulnerabilities since \[2022\]," Narang says, pointing to the fact that Microsoft reported only seven Print Spooler vulnerabilities in total across 2023 and 2024.

Significantly, Microsoft has not disclosed a single remote code execution bug — usually the most severe — in its Print Spooler service since 2021, he adds. Instead, they have all have been an elevation of privilege bugs — which attackers typically leverage only after they have already gained initial access to a system — or information disclosure flaws. It's a positive development that likely is a result of all the research that has gone into finding vulnerabilities in the software since PrintNightmare, Narang says.

"From an outside-looking-in perspective, it appears that PrintNightmare was the catalyst for shoring up security within the Windows Print Spooler, making it increasingly difficult for attackers to exploit," Narang says.

**A Persistent Threat**

Even so, it's a mistake to take Print Spooler security for granted. The service remains a big target for attackers due to its complexity and integral role in the Windows operating system, says Mike Walters, president and co-founder of Action1. The service's legacy codebase and the need for backward compatibility also continue to present ongoing challenges, he notes.

The fact that the service is remotely accessible by any user is another reason Print Spooler remains a target of interest for attackers, adds Ben McCarthy, lead cyber security engineer at Immersive Labs. Flaws in the service give attackers an opportunity for lateral movement and privilege escalation, he says.  

"The Print Spooler service handles print jobs and communicates with printers, often using RPC for interprocess and network interactions, which introduces a broad attack surface," McCarthy says. "Vulnerabilities often arise from unchecked inputs, weak \[access control lists\], and improper handling of permissions, allowing attackers to exploit these mechanisms to execute arbitrary code or gain system-level privileges."

One notable example of the sustained and ongoing attacker interest in Print Spooler vulnerabilities is Russia-based APT28's use of CVE-2022-38028 in a privilege escalation and credential stealing campaign that targeted North American, European, and Ukrainian government organizations last April. Another indication of the broad researcher interest in the service is the fact that it was the US National Security Agency (NSA) that reported at least three Print Spooler vulnerabilities to Microsoft since PrintNightmare: CVE-2022-29104, CVE-2023-21678, and CVE-2022-38028.

For the most part, most attacks on Print Spooler bugs since PrintNightmare have simply been variations of existing and previously known attack vectors, according to Walters. Many of the vulnerabilities discovered in 2021, 2022, 2023, and 2024 are privilege escalation or remote code execution flaws that exploit similar vulnerabilities \[as\] PrintNightmare, such as improper input validation, inadequate permission checking, and the ability to load malicious drivers, Walters points out.

However, Microsoft's desire to maintain backward compatibility with legacy code has left the company addressing Print Spooler vulnerabilities at the protocol and function handler side. So expect to see researchers continuing to pound away at PrintNightmare-like bugs in Print Spooler, Walters says.

**Microsoft's Changes to Point and Print**

Besides issuing patches and offering mitigation advice for specific Print Spooler vulnerabilities, Microsoft has taken other steps to mitigate Print Spooler risks since PrintNightmare. One of the most significant is the change the company made to the default behavior of the Point and Print function associated with Print Spooler. The feature, designed to simplify the installation of printers for end users, originally allowed a user to connect to network printers and automatically download and install the required printer drivers without needing administrative privileges. Following PrintNightmare and CVE-2021-34481, Microsoft changed the feature's default behavior to ensure only users with administrative rights could do printer driver installation and updates.

At the time, Microsoft acknowledged the change could disrupt existing practices at organizations. "However, we strongly believe that the security risk justifies this change," it noted.

"Microsoft introduced the 'RestrictDriverInstallationToAdministrators' registry key and the corresponding Group Policy setting. When enabled, it enforces that only administrators can install printer drivers through Point and Print," Walters notes. Microsoft also disabled inbound remote printing by default on certain systems and strengthened the requirement for printer drivers to be digitally signed by a trusted certificate authority and some others, he notes.

In addition, new Group Policy settings that Microsoft introduced after PrintNightmare allow administrators to enforce strict controls over the print spooler service, including limiting which servers can deliver print jobs or drivers, Walters says.

"Disabling certain features by default, such as inbound remote printing, helps minimize the attack surface for systems that do not need such functionality," he notes.

PrintNightmare presented a challenge for Microsoft because fixing it required architectural changes that impacted many organizations around the world. 

"The biggest change that affected many sysadmins was the change to the way users can connect to remote printers," McCarthy says. "This necessary change means that any further exploits found in this particular part of the Print Spooler service will require the attacker to be the administrator first."

**Mitigation Measures**

Print Spooler is part of Windows OS and is enabled by default on many systems, including ones where it is generally not required, such as domain controllers. It typically runs as a privileged service, meaning it has system-level privileges, making it a high value target for attackers. Organizations can disable Print Spooler if they don't require any printing services — a somewhat rare situation in a business setting

A few mitigation measures are available for organizations struggling to completely disable Print Spooler services due to business requirements. Walters lists the following as the most effective among them:

*   Regularly install patches and updates released by Microsoft.
    
*   Configure Group Policy settings to allow only administrators to install printer drivers.
    
*   Disable incoming remote printing through Group Policy when not needed.
    
*   Use allow lists to specify approved printers and print servers.
    
*   Use security tools to monitor for suspicious activity related to the print spooler service.
    
*   Isolate print servers from critical systems to prevent lateral movement in the event of a compromise.
    
*   Deploy endpoint controls to prevent unauthorized code execution.
    

He also recommends that security administration restrict network access, segment networks with print servers, and enable secure RPC over SMB for the print spooler. In addition, consider disabling legacy protocols and features such as SMBv1 and enforce strong authentication mechanisms, Walters notes.

"It's clear that disabling Print Spooler services is not feasible in its entirety," Tenable's Narang says. "But ensuring that security updates are being applied, which often include changes like the ones noted in the July 2021 out-of-band release for PrintNightmare, is the best way to safeguard against these attacks."

PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

This Tech Tip outlines what enterprise defenders need to do to protect their enterprise environment from the new NTLM vulnerability.

Roy Akerman, VP of Identity Security Strategy, Silverfort

December 20, 2024

4 Min Read

Source: Supapixx via Alamy Stock Photo

A new zero-day vulnerability in NTLM discovered by researchers at 0patch allows attackers to steal NTLM credentials by having a user view a specially crafted malicious file in Windows Explorer — no need for the user to open the file. These password hashes can be used for authentication relay attacks or for dictionary attacks on the password, both for identity takeover.

NTLM refers to a suite of old authentication protocols from Microsoft that provide authentication, integrity, and confidentiality to users. While NTLM was officially deprecated as of June, our research shows that 64% of Active Directory user accounts regularly authenticate with NTLM — evidence that NTLM is still widely used despite its known weaknesses.

The flaw is exploitable even in environments using NTLM v2, making it a significant risk to enterprises that have not yet moved to Kerberos and are still relying on NTLM. Considering Microsoft may not patch this issue for a while, enterprise defenders should take steps to mitigate the vulnerability in their environments. This Tech Tip outlines how dynamic access policies, a few hardening steps, and multifactor authentication (MFA) can help limit attempts to exploit this vulnerability. Upgrading the protocol, where possible, could eliminate the issue completely.

**What Is the NTLM Vulnerability?**

When a user views a malicious file in Windows Explorer — whether by navigating to a shared folder, inserting a USB drive containing the malicious file, or just viewing a file in the Downloads folder that was automatically downloaded from a malicious Web page — an outbound NTLM connection is triggered. This causes Windows to automatically send NTLM hashes of the currently logged-in user to a remote attacker-controlled share.

These NTLM hashes can then be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. Attackers can also potentially use the exposed passwords to access the organization's software-as-a-service (SaaS) environment due to the high rates of synced users.

The issue impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The fundamental problem with NTLM lies in its outdated protocol design. NTLM transmits password hashes instead of verifying plaintext passwords, making it vulnerable to interception and exploitation. Even with NTLM v2, which uses stronger encryption, the hashes can still be captured and relayed by attackers. NTLM's reliance on weak cryptographic practices and lack of protection against relay attacks are key weaknesses that make it highly exploitable. Moreover, NTLM authentication does not support modern security features, such as MFA, leaving systems open to a variety of credential theft techniques, such as pass-the-hash and hash relaying.

**What Defenders Need to Do**

To mitigate this vulnerability, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP. There are scripts provided by Microsoft to activate EPA manually on Exchange Server 2016. Where possible, update to the latest Windows Server 2025 as it ships with EPA and channel binding enabled by default for both AD CS and LDAP.

Some organizations may still be dependent on NTLM due to legacy systems. Those teams should consider additional authentication layers, such as dynamic risk-based policies, for protecting existing NTLM legacy systems against exploitations.

Harden LDAP configurations. Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.

Check impact on SaaS. If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can use Group Policy to enable the Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

Using Group Policy to limit or disable NTLM authentication via the Network Security: Restrict NTLM setting will reduce the risk of fallback scenarios where NTLM is unintentionally used.

Monitor SMB traffic. Enabling SMB signing and encryption can help prevent attackers from impersonating legitimate servers and triggering NTLM authentication. Blocking outbound SMB traffic to untrusted networks will also reduce the risk of NTLM credential leakage to rogue servers. Implement network monitoring and alerting for unusual SMB traffic patterns, particularly outbound requests to unknown or untrusted IP addresses.

Leave NTLM behind. NTLM has been deprecated. Administrators should audit NTLM usage to identify which systems still rely on NTLM. Organizations should prioritize transitioning those systems away from NTLM to more modern authentication protocols, such as Kerberos. Once a more modern protocol is in place, implement MFA to add an additional layer of protection.

Taking these steps will help organizations address the fundamental flaws in NTLM and improve their security posture.

**About the Author**

VP of Identity Security Strategy, Silverfort, Silverfort

Roy Akerman is the VP of Identity Security Strategy at Silverfort and former co-founder and CEO of Rezonate. Prior to Rezonate, Roy served as VP of Product and Innovation at Cybereason, responsible for growing 3 new business lines on cloud security, mobile defense, and XDR. Roy is leading product incubations and new business initiatives, fusing the practices of advanced Technology, Psychology, and Business in forming new disruptive products and anti-disciplinary innovation teams. Akerman is blending business and innovation practices acquired in his MIT and business journey with problem-solving and tech approaches based on his Government and Military experience. Roy has 20 years of experience in Cybersecurity, as one of the senior leaders and founders of NISA - the Israeli Equivalent to the NSA/Cyber Command, retired as the chief of global cyber operations. In this role, Roy and his teams ran global counter-cyber defense operations for Israel’s Cyber Defense, built cutting-edge cyber security tech. They established partnerships and alliances with numerous states and business partners.

How to Protect Your Environment From the NTLM Vulnerability

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

**Introduction**

In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.  

With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default. These security enhancements mitigate risk of of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.

**Background**

NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:

1.  Coercing a victim to authenticate to an arbitrary endpoint.
    
2.  Relaying the authentication against a vulnerable target.
    

By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim. This gives attackers an initial foothold for further domain compromise. To stop exploitation in its tracks, it’s essential to address the first class of issues. These vulnerabilities provide attackers with an initial primitive for exploitation. However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default. Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.

**Enabling NTLM Relay mitigations**

In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections. These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.

In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server. While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments. Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks.  

**Exchange Server**

It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account. Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises.  

Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default. Exchange Server 2016 is in extended support, and no further CUs are planned for this version. Customers using Exchange Server 2016 can enable EPA via a script.

We recognize that EPA may not be trivial to enable for all environments. A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before. For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.

**AD CS and LDAP**

We are also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows. Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.  

With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions. Additional changes to default EPA enablement are currently in the pipeline for more Windows services. Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.

**Looking ahead: The future of NTLM**

NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows. We have also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos. In the interim, we are exploring various strategies to harden against NTLM attacks. A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated. Additionally, admins now have the option to configure SMB to block NTLM.  

The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative. As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.

The security mitigations here are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. Special thanks to Nino Bilic, Matthew Palko, and Wayne McIntyre for their help and support with this blog.

_Rohit Mothe_

_George Hughey_

_MSRC Vulnerabilities & Mitigations Team_

Tag

#samba