Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025 securelist.com/ntlm-abus…
Flip phones were surging, Windows XP was new on the desktop, Apple had just launched the iPod, torrent-based file sharing was emerging, and MSN Messenger dominated online chat. That was the landscape in 2001, the year Sir Dystic of Cult of the Dead Cow released SMBRelay — the proof-of-concept that turned NTLM relay attacks from theory into practice and introduced a powerful new class of authentication-relay exploits.
Since then, NTLM’s weaknesses have been widely recognized, and year after year new vulnerabilities and more sophisticated attack techniques have continued to appear. Microsoft has responded with mitigations and by advancing NTLM’s successor, Kerberos. Yet, more than two decades later, NTLM remains deeply embedded in modern systems — spanning enterprise networks, legacy applications, and internal infrastructures that still depend on its outdated authentication methods.
This blog post examines the growing roster of NTLM-related vulnerabilities identified over the past year and explores the cybercriminal campaigns that have actively weaponized them across various regions worldwide.
