Ghidra is a generic disassembler and decompiler released by the NSA. It attracted wide interest from the security community. Security researchers have since found an XXE vulnerability in the Ghidra project loading process. Based on our prior research on XXE vulnerability exploitation, we found that attackers can abuse Java features and weaknesses in NTLM protocol in Windows operating system to achieve remote code execution.