A new zero-day vulnerability has been discovered in Windows, impacting all versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025.
This vulnerability allows attackers to obtain NTLM credentials by tricking users into viewing malicious files in Windows Explorer.
The issue has been reported to Microsoft, and while it does not yet have a designated CVE number, an unofficial patch is available through 0patch until an official fix is released.
Vulnerability Details
The vulnerability involves a flaw similar to previously discovered issues in URL files, such as CVE-2025-21377, where attackers can exploit NTLM hash disclosures. However, this specific vulnerability is distinct and not widely discussed in the public domain.
It requires an attacker to either have network access to the victim’s system or have a means to relay the stolen credentials, such as through a publicly exposed Exchange server.
Like other NTLM-related vulnerabilities, this issue is not considered critical but is exploited in real-world attacks.
0patch, a security patching service, has developed and distributed micropatches for this vulnerability. These patches are available for all affected Windows versions, including both outdated and currently supported systems.
They are provided at no cost until Microsoft releases an official patch.
The micropatches have already been applied to computers managed by 0patch Agent within PRO or Enterprise accounts, ensuring immediate protection without the need for manual intervention or system reboot.
Impact and Other Vulnerabilities
This is the fourth zero-day vulnerability reported by 0patch within a short period.
Previous issues include vulnerabilities in Windows Theme files, which Microsoft subsequently patched as CVE-2025-21308, and the Mark of the Web issue on Server 2012, which remains unpatched.
Additionally, several NTLM-related vulnerabilities are classified as “wont fix” by Microsoft, which 0patch also provides patches for. These include PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, affecting all updated Windows versions.
Implementing protection against these vulnerabilities is crucial for organizations still using NTLM authentication. 0patch offers a solution by providing patches for both zero-day and “wont fix” vulnerabilities.
The service is particularly valuable for legacy systems no longer receiving official security updates from Microsoft.
Users can create a free account with 0patch to start a trial, ensuring automatic protection without manual configuration.
As vulnerabilities like these continue to emerge, relying on third-party patching services can fill critical security gaps, especially for unsupported Windows versions. With 0patch, users can safeguard their systems from known and emerging threats, maintaining security without waiting for vendor fixes.
This approach is increasingly important as attackers continue to exploit unpatched vulnerabilities to compromise user credentials and systems.
As the specific CVE identifier for this vulnerability is not yet assigned, users should monitor security advisories from Microsoft for updates.
Meanwhile, leveraging patches from reputable sources like 0patch can provide interim protection against such threats.
Patch Availability
Micropatches are available for the following Windows versions:
- Legacy Windows versions: Windows 11 v21H2, Windows 10 (all versions back to v1803), Windows 7, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 R2.
- Currently supported Windows versions: Windows 11 v24H2, Windows 11 v23H2, Windows 11 v22H2, Windows 10 v22H2, Windows Server 2025, Windows Server 2022, Windows Server 2019, and Windows Server 2016.
These patches will remain free until an official fix from Microsoft is available, emphasizing the importance of proactive security measures in preventing credential theft and system exploitation.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
