A newly discovered Windows zero-day vulnerability allows remote attackers to steal NTLM hashes by tricking users into simply viewing malicious files in Windows Explorer. This flaw affects all Windows versions from Windows 7 to Windows 11 and Windows Server 2008 R2 to 2025.
NTLM authentication has long been exploited in relay and pass-the-hash attacks, where stolen credentials are used to access sensitive data and move laterally within networks. Microsoft plans to phase out NTLM in future Windows 11 versions, but vulnerabilities like this still pose a serious threat.
ACROS Security researchers discovered this issue while developing patches for another NTLM flaw. Attackers can exploit it by placing a malicious file in a shared folder, USB disk, or the Downloads directory, where simply viewing the file in Explorer triggers the attack.
To address the issue, 0patch has released free unofficial micropatches for affected Windows versions until Microsoft provides an official fix. These patches apply automatically without requiring a system restart unless blocked by custom policies.
Microsoft has acknowledged the vulnerability and is evaluating necessary actions to protect users. However, they have not yet confirmed when an official patch will be available.
In recent months, 0patch has disclosed multiple Windows zero-day flaws, including a Windows Theme vulnerability (CVE-2025-21308) and an NTLM hash disclosure bug (CVE-2025-21377). Some of these remain unpatched by Microsoft.
Other NTLM-related flaws, such as PetitPotam, PrinterBug, and DFSCoerce, have also been exposed by 0patch but still lack official fixes. This highlights ongoing security risks tied to NTLM authentication in Windows environments.
Logging you in...
Loading IntenseDebate Comments...