We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.
Customize Consent Preferences
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Always Active
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
No cookies to display.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
No cookies to display.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
No cookies to display.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
No cookies to display.
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
A newly discovered NTLM vulnerability in Windows, allows attackers to obtain login credentials when a user view a malicious file in Windows Explorer. This issue affects all Windows versions, from Windows 7 and Server 2008 R2 to the most recent Windows 11 v24H2 and Server 2025.
Attackers can exploit this flaw by using shared network folders, USB drives, or previously downloaded malicious files, making credential theft easy and difficult to detect.
Vulnerability Name
CVE ID
Product Affected
Severity
Fix
NTLM Hash Disclosure Vulnerability
Not Yet Assigned
Windows OS and Windows Server
High
Unofficial micropatch available via 0patch
Technical Summary
This vulnerability enables attackers to steal NTLM authentication credentials simply by having users view a malicious file in Windows Explorer. Unlike previous NTLM relay attack techniques that required users to execute files, this exploit works just by rendering the malicious file’s metadata in the Windows Explorer preview pane. Attackers can leverage this method in various ways:
Hosting a shared network folder containing the malicious file.
Distributing infected USB drives that trigger the attack when inserted.
Tricking users into downloading the malicious file from a compromised or attacker-controlled website.
Once the credentials are captured, attackers can use NTLM relay attacks to gain unauthorized access to internal systems, escalate privileges, and move laterally across the network.
CVE ID
System Affected
Vulnerability Technical Details
Impact
Not Assigned Yet
Windows 7 – Windows 11 v24H2, Server 2008 R2 – Server 2025
Attackers can capture NTLM credentials when users view malicious files in Windows Explorer. Exploitation methods include shared folders, USB drives, or downloads.
Credential theft, network compromise, and potential lateral movement.
Recommendations
Microsoft Patch Awaited: The vulnerability has been reported to Microsoft, and an official security update is expected in the near future.
Unofficial Micropatch Available: Security researchers at 0patch have released an unofficial micropatch that mitigates this issue. The micropatch is available for all affected Windows versions and will remain free until an official fix is provided by Microsoft.
Steps to Apply 0patch Micropatch:
Create a free account on 0patch Central.
Install and register the 0patch Agent on affected systems.
The micropatch is applied automatically without requiring a system reboot.
Security Best Practices
Disable NTLM authentication where possible.
Implement SMB signing to prevent relay attacks.
Restrict access to public-facing servers like Exchange to limit credential relaying risks.
Educate users to avoid interacting with unknown or suspicious files in shared folders and USB drives.
Conclusion
Although not classified as critical, this NTLM credential theft vulnerability is extremely harmful due to its ease of exploitation. Attackers can exploit NTLM hashes in relay attacks to compromise internal network resources.
Security researchers confirm that comparable flaws have been actively exploited in real-world assaults. Until an official Microsoft patch is available, organizations should prioritize applying the 0patch micropatch and following NTLM security best practices to reduce potential risks.