Windows NTLM Zero-Day Vulnerability Exposes User Credentials

A critical zero-day vulnerability affecting all modern Windows Workstation and Server versions has been discovered.

The flaw enables attackers to steal NTLM credentials with minimal user interaction, posing a significant security risk. It impacts systems from Windows 7 and Server 2008 R2 to the latest Windows 11 (v24H2) and Server 2022.

The vulnerability allows attackers to capture a user’s NTLM credentials when the user merely views a malicious file in Windows Explorer.

This could occur by opening a shared folder, inserting a USB drive containing the file, or even browsing a Downloads folder where such a file was automatically downloaded from an attacker’s website.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Exploiting this flaw does not require the user to open or execute the file, making it highly dangerous.

pass-the-hash Attack

The NTLM protocol, used for authentication in Windows environments, is susceptible to “pass-the-hash” attacks. Once attackers obtain NTLM hashes, they can impersonate users without needing plaintext passwords. This flaw highlights ongoing risks tied to NTLM’s inherent vulnerabilities.

The issue was reported to Microsoft by security researchers, who have also released free micropatches via the 0patch platform until Microsoft provides an official fix. These micropatches are available for both legacy and currently supported Windows versions, including:

• Legacy systems like Windows 7 (with or without Extended Security Updates) and Server 2008 R2.
• Fully updated systems such as Windows 11 (v24H2), Windows 10 (various versions), and Server editions (2012 R2 through 2022).

0patch’s micropatches have already been applied to affected systems using their agent, ensuring immediate protection for users who adopt this solution.

This vulnerability is the third zero-day flaw recently reported by the researchers. Previous findings include a Windows Theme file issue and a “Mark of the Web” problem on Server 2012—both still awaiting official patches.

Other NTLM-related vulnerabilities like PetitPotam and PrinterBug remain unpatched by Microsoft but are mitigated through 0patch solutions.

The persistence of such vulnerabilities underscores the importance of proactive security measures. Organizations relying on NTLM protocols are particularly at risk and should consider alternative authentication mechanisms or deploy third-party patches like those from 0patch.

Until Microsoft releases an official fix, users are urged to implement available micropatches and exercise caution with files from untrusted sources. Adopting robust security practices and monitoring for suspicious activity is paramount for organizations using legacy systems or dependent on NTLM authentication.

This discovery serves as a stark reminder of the evolving threat landscape and the critical need for timely updates to mitigate zero-day vulnerabilities effectively.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses