0-Click NTLM Auth Bypass Exposes Legacy Microsoft Systems

A newly discovered 0-click NTLM authentication bypass vulnerability has resurfaced within Microsoft Telnet Server implementations, exposing a dangerous flaw in outdated yet still-operational systems. Veriti research reveals that this vulnerability, requiring no user interaction, enables remote attackers to exploit NTLM authentication mechanisms and potentially gain unauthorized access.

This attack vector stems from legacy architecture still in use across various organizations, often overlooked in modern patching and vulnerability management programs. Despite the age of the protocol, Veriti threat intelligence shows hundreds of such instances are publicly exposed today.

Using publicly available threat intelligence tools and active fingerprinting, Veriti identified over 2,800 potentially vulnerable Telnet instances tied to this flaw.

These exposed assets are not merely academic risks; they exist in real-world environments across critical sectors. Our scans revealed exposed systems tied to:

• Customer Relationship Management platforms
• Security camera control panels
• MDaemon email servers
• SRX-Pro international server infrastructure
• Energy management systems

From our perspective, this reflects a broader challenge in security posture management: residual risk from legacy systems that often fall outside the scope of standard vulnerability scanning or configuration enforcement.

Understanding the Vulnerability: 0-Click and No Patch

The vulnerability was initially flagged by independent security researcher @cyb3rops, with detailed writeups on SecurityOnline and proof-of-concept code shared via Hacker House GitHub.

Here’s what makes it particularly dangerous:

• No user interaction is needed – attackers can execute the bypass remotely.
• No patch is currently available from Microsoft, as the Telnet Server component is deprecated.
• Exploitation is straightforward for anyone with access to the right PoC and network visibility.

This combination of factors places it in the “silent but critical” category of threats, particularly because organizations may not even know they’re exposed.

Veriti Research: Attack Surface Must Include Legacy

Our findings underscore a recurring theme in enterprise security: legacy systems continue to expand the effective attack surface, especially when not included in routine assessments. Effective exposure management requires:

• Inventory awareness: Knowing exactly what legacy services (e.g., Telnet) are still running.
• Control enforcement: Automatically blocking risky protocols or redirecting traffic based on policy.
• Threat context: Prioritizing risks not just by CVSS score, but by exploitability and exposure.

Telnet is a protocol most security teams assume is long gone but Veriti research reveals it’s still very much alive in forgotten corners of the internet.