Thursday, January 23, 2025
HomeCyber Security NewsWindows NTLM Zero-Day Vulnerability Exposes User Credentials

Windows NTLM Zero-Day Vulnerability Exposes User Credentials

Published on

SIEM as a Service

Follow Us on Google News

A critical zero-day vulnerability affecting all modern Windows Workstation and Server versions has been discovered.

The flaw enables attackers to steal NTLM credentials with minimal user interaction, posing a significant security risk. It impacts systems from Windows 7 and Server 2008 R2 to the latest Windows 11 (v24H2) and Server 2022.

The vulnerability allows attackers to capture a user’s NTLM credentials when the user merely views a malicious file in Windows Explorer.

This could occur by opening a shared folder, inserting a USB drive containing the file, or even browsing a Downloads folder where such a file was automatically downloaded from an attacker’s website.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Exploiting this flaw does not require the user to open or execute the file, making it highly dangerous.

pass-the-hash Attack

The NTLM protocol, used for authentication in Windows environments, is susceptible to “pass-the-hash” attacks. Once attackers obtain NTLM hashes, they can impersonate users without needing plaintext passwords. This flaw highlights ongoing risks tied to NTLM’s inherent vulnerabilities.

The issue was reported to Microsoft by security researchers, who have also released free micropatches via the 0patch platform until Microsoft provides an official fix. These micropatches are available for both legacy and currently supported Windows versions, including:

  • Legacy systems like Windows 7 (with or without Extended Security Updates) and Server 2008 R2.
  • Fully updated systems such as Windows 11 (v24H2), Windows 10 (various versions), and Server editions (2012 R2 through 2022).

0patch’s micropatches have already been applied to affected systems using their agent, ensuring immediate protection for users who adopt this solution.

This vulnerability is the third zero-day flaw recently reported by the researchers. Previous findings include a Windows Theme file issue and a “Mark of the Web” problem on Server 2012—both still awaiting official patches.

Other NTLM-related vulnerabilities like PetitPotam and PrinterBug remain unpatched by Microsoft but are mitigated through 0patch solutions.

The persistence of such vulnerabilities underscores the importance of proactive security measures. Organizations relying on NTLM protocols are particularly at risk and should consider alternative authentication mechanisms or deploy third-party patches like those from 0patch.

Until Microsoft releases an official fix, users are urged to implement available micropatches and exercise caution with files from untrusted sources. Adopting robust security practices and monitoring for suspicious activity is paramount for organizations using legacy systems or dependent on NTLM authentication.

This discovery serves as a stark reminder of the evolving threat landscape and the critical need for timely updates to mitigate zero-day vulnerabilities effectively.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...