Researchers at Silverfort have identified a critical flaw in Active Directory environments that allows attackers to bypass group policies designed to disable the insecure NTLMv1 authentication protocol. The discovery reveals that even when organizations believe they have blocked NTLMv1, misconfigured on-premise applications can still trigger the protocol, leaving a backdoor open for credential theft.
According to silverfort.com, the vulnerability stems from how certain applications interact with the Group Policy LAN Manager. While many companies use these policies to mitigate the risks of NTLMv1, the research shows that third-party or custom on-premise applications can be configured to request NTLMv1 authentication, effectively circumventing the security restrictions.
This bypass provides a pathway for lateral movement and privilege escalation within a network. An attacker who has already gained access to a network can intercept NTLMv1 traffic and crack user credentials offline. This vulnerability is particularly dangerous for organizations using a mix of devices, such as Mac computers connecting to banking applications, which may rely on these legacy protocols.
Data shows that over 64% of Active Directory user accounts still regularly authenticate using NTLM protocols despite known weaknesses. Silverfort researchers noted that this creates a "false sense of security," leaving enterprises unprotected against modern attack chains.
Microsoft moves to phase out NTLMv1
In response to the disclosure, the Microsoft Security Response Center (MSRC) has taken proactive steps to address the protocol's removal. Although the researchers noted that the bypass itself does not constitute a direct security vulnerability, Microsoft has announced a complete removal of NTLMv1. This phase-out will begin with Windows 11 Version 24H2 and Windows Server 2025.
Until these updates are fully deployed, security experts recommend that organizations monitor all NTLM authentication logs within their domains. The research team suggests mapping all applications that use NTLM as a primary or fallback method to identify vulnerable clients.
Silverfort recommends shielding NTLM traffic with modern authentication methods to prevent attackers from exploiting these legacy authentication messages. The company is currently working with clients to detect NTLMv1 usage and apply risk-based boundaries to reduce the likelihood of a compromise.