title: Windows NTLM Hash Disclosure via File Interaction (NTLMv2 Spoofing) (CVE-2024-43451)
id: df00tech-cve-2024-43451
status: experimental
description: "CVE-2024-43451 is a medium-severity (CVSS 6.5) NTLM hash disclosure spoofing vulnerability in Windows NTLMv2 authentication. The flaw is triggered when a user opens, inspects, or right-clicks a malicious file (e.g., a .url or specially crafted shortcut file) — Windows automatically initiates an NTLM authentication exchange to an attacker-controlled server, disclosing the user's NTLMv2 hash without any explicit credential entry. The vulnerability stems from CWE-73 (External Control of File Name or Path). CISA added this to the KEV catalog with a remediation deadline of December 3, 2024. NTLMv2 hashes can be cracked offline or relayed for lateral movement, making this a credential harvesting precursor especially effective in phishing and malicious email attachment campaigns."
references:
  - https://attack.mitre.org/techniques/CVE-2024-43451/
  - https://df00tech.com/detections/CVE-2024-43451
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-43451
  - cve.2024-43451
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Windows shell accessing legitimate network file shares via .url shortcuts (tune with internal IP allowlist)
  - IT asset management tools creating .url shortcuts in user profiles
  - Browser downloads of legitimate .url files from corporate intranet sites
level: high