Zero-Day Vulnerability in Windows Exposes NTLM Credentials
Summary
OEM | Microsoft |
Severity | Critical |
Date of Announcement | 2024-12-12 |
CVE | Not yet assigned |
Exploited in Wild | No |
Patch/Remediation Available | Yes (No official patch) |
Advisory Version | 1.0 |
Vulnerability Name | NTLM Zero-Day |
Overview
A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.
Vulnerability Name | CVE ID | Product Affected | Severity |
NTLM zero-day | Not Yet Assigned | Microsoft Windows | Critical |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
Not Yet Assigned | Windows 7 to 11 (24H2), Server 2008 R2 to 2022 | A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder. | Enables attackers to steal NTLM credentials and gain unauthorized access of the affected systems. |
Remediations
- Apply the 0patch Micropatch:
- Register for a free account at 0patch Central.
- Install the 0patch agent to automatically receive the micropatch.
- Disable NTLM Authentication:
- Navigate to Security Settings > Local Policies > Security Options in Group Policy.
- Configure “Network security: Restrict NTLM” policies to limit NTLM usage.
General Recommendations
- Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
- Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
- Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
- Monitor systems for suspicious NTLM-related activity.