All news with #ntlm tag

SOAPwn: WSDL/SOAP Flaw Enables File Writes in .NET

🛡️WatchTowr Labs has disclosed SOAPwn, an "invalid cast" vulnerability in the .NET Framework that lets attackers abuse WSDL imports and dynamically generated SOAP client proxies to write files and achieve remote code execution. The issue impacts products including Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Barracuda addressed the flaw in Service Center RMM 2025.1.1 (CVE-2025-34392, CVSS 9.8) and Ivanti issued fixes in EPM 2024 SU4 SR1 (CVE-2025-13659, CVSS 8.8). Researchers presented the findings at Black Hat Europe after disclosures in March 2024 and July 2025.

Authentication Coercion: Abusing Rare Windows RPC Interfaces

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.

Microsoft Disables Explorer Preview for Internet Files

🔒 Microsoft has updated File Explorer to disable the preview pane by default for files downloaded from the Internet or marked with the Mark of the Web. The change, included in Windows security updates released on and after October 14, 2025, is designed to block exploits that can leak NTLM hashes when previewed documents reference external resources. When preview is blocked, File Explorer shows a warning and users can manually unblock trusted files via Properties > Unblock or add the location to Trusted sites/Local intranet; a sign-out may be required for the change to take effect.

Legacy Windows Protocols Enable Network Credential Theft

🔒 Resecurity warns that legacy Windows name-resolution protocols continue to expose organisations to credential theft when attackers share the same local network. By poisoning LLMNR and NBT-NS broadcasts using tools such as Responder, attackers can capture usernames, domain context and password hashes without exploiting a software vulnerability. Recommended mitigations include disabling these protocols via Group Policy, blocking UDP 5355, enforcing SMB signing, reducing NTLM, and monitoring for anomalous traffic.

Patch Tuesday: Critical SAP NetWeaver and Microsoft Fixes

🔔 CISOs with SAP NetWeaver AS Java deployments should urgently patch two critical flaws: CVE-2025-42944, a CVSS 10.0 insecure deserialization in the RMI-P4 module, and a CVSS 9.9 insecure file-upload vulnerability that can lead to full system compromise. As an immediate mitigation, admins can apply P4 port filtering at the ICM level until patches are installed. Microsoft released fixes for 13 critical bugs this month, including Hyper‑V guest-to-host escalation issues and an NTLM elevation flaw (CVE-2025-54918) marked Exploitation More Likely; teams should prioritize domain controllers and virtualization hosts.