A critical vulnerability has been uncovered in Microsoft’s Telnet Client (telnet.exe), enabling attackers to steal Windows credentials from unsuspecting users, even without interaction in certain network scenarios.
Security researchers warn that this “zero-click” flaw could be readily exploited in corporate environments, with severe consequences for network integrity.
How the Attack Works
The vulnerability centers on the Microsoft Telnet Client’s MS-TNAP authentication protocol.
.png
)
When a Windows user connects to a malicious Telnet server, either by manually opening a connection or clicking on a specially-crafted telnet:// hyperlink (which can be embedded in emails, websites, or documents), the client initiates authentication.
If the server resides within the Intranet or Trusted Zone – or if system policies allow silent authentication – Windows will automatically transmit the user’s NTLM authentication data, all without warning or requiring user approval.
- Internet Zone: Users are prompted before credentials are sent.
- Intranet/Trusted Sites Zone: Credentials may be sent automatically – no prompt, no warning.
This behavior is especially risky for organizations that have added internal IP ranges or hosts to trusted zones without specifying a protocol.
For example, entering an IP like 192.168.1.1 (without specifying http://) means all protocols, including Telnet, are trusted for that host, not just web traffic.
An attacker can exploit this by:
- Setting up a malicious Telnet server.
- Enticing users to click a telnet:// link (e.g., via a phishing email).
- Capturing NTLM hashes from connecting clients.
Captured hashes can then be used for NTLM relay attacks or cracked offline using tools like Hashcat, giving attackers potential access to sensitive systems and data.
Proof of Concept and Exploit Code
A working proof-of-concept is already in the wild, demonstrating step-by-step how authentication data can be harvested.
For example, the exploit logs NTLM authentication exchanges and outputs captured hashes in formats compatible with popular password cracking tools.
hashcat -m 5600 -a 0 -O netntlmv2.hash passwords.txtThe above command enables attackers to crack harvested NTLMv2 hashes against a password list, recovering credentials in seconds if weak passwords are in use.
Mitigation and Recommendations
- Review Trusted Zones: Ensure hosts/IPs in Intranet/Trusted Sites zones are entered with protocol specifiers (e.g., http://), not just raw IPs.
- Disable Telnet Client: Uninstall or disable the Telnet feature on all Windows machines unless strictly necessary.
- User Awareness: Train users to avoid clicking suspicious telnet:// links or opening unknown LNK files.
All supported and unsupported Windows versions with the Telnet Client installed are vulnerable, including Windows 7–11, Windows Server 2008–2025, and legacy platforms.
This zero-click Telnet vulnerability underscores the risks of legacy protocols and misconfigured trust settings.
Administrators are urged to audit their environments and implement recommended defenses immediately to prevent silent credential theft.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
, enabling attackers to steal Windows credentials.){kind=link}