A new zero-day vulnerability has been discovered in Windows, impacting all versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025.
This vulnerability allows attackers to obtain NTLM credentials by tricking users into viewing malicious files in Windows Explorer.
The issue has been reported to Microsoft, and while it does not yet have a designated CVE number, an unofficial patch is available through 0patch until an official fix is released.
The vulnerability involves a flaw similar to previously discovered issues in URL files, such as CVE-2025-21377, where attackers can exploit NTLM hash disclosures. However, this specific vulnerability is distinct and not widely discussed in the public domain.
It requires an attacker to either have network access to the victim’s system or have a means to relay the stolen credentials, such as through a publicly exposed Exchange server.
Like other NTLM-related vulnerabilities, this issue is not considered critical but is exploited in real-world attacks.
0patch, a security patching service, has developed and distributed micropatches for this vulnerability. These patches are available for all affected Windows versions, including both outdated and currently supported systems.
They are provided at no cost until Microsoft releases an official patch.
The micropatches have already been applied to computers managed by 0patch Agent within PRO or Enterprise accounts, ensuring immediate protection without the need for manual intervention or system reboot.
This is the fourth zero-day vulnerability reported by 0patch within a short period.
Previous issues include vulnerabilities in Windows Theme files, which Microsoft subsequently patched as CVE-2025-21308, and the Mark of the Web issue on Server 2012, which remains unpatched.
Additionally, several NTLM-related vulnerabilities are classified as “wont fix” by Microsoft, which 0patch also provides patches for. These include PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, affecting all updated Windows versions.
Implementing protection against these vulnerabilities is crucial for organizations still using NTLM authentication. 0patch offers a solution by providing patches for both zero-day and “wont fix” vulnerabilities.
The service is particularly valuable for legacy systems no longer receiving official security updates from Microsoft.
Users can create a free account with 0patch to start a trial, ensuring automatic protection without manual configuration.
As vulnerabilities like these continue to emerge, relying on third-party patching services can fill critical security gaps, especially for unsupported Windows versions. With 0patch, users can safeguard their systems from known and emerging threats, maintaining security without waiting for vendor fixes.
This approach is increasingly important as attackers continue to exploit unpatched vulnerabilities to compromise user credentials and systems.
As the specific CVE identifier for this vulnerability is not yet assigned, users should monitor security advisories from Microsoft for updates.
Meanwhile, leveraging patches from reputable sources like 0patch can provide interim protection against such threats.
Micropatches are available for the following Windows versions:
These patches will remain free until an official fix from Microsoft is available, emphasizing the importance of proactive security measures in preventing credential theft and system exploitation.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting…
Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions…
From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats…
Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages DNS…
A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community due…
PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a…
