Windows Zero-Day Exploit NTLM Hash Disclosure via Malicious Files
Summary
| OEM | Microsoft |
| Severity | High |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability | Zero-Day |
Overview
A newly discovered NTLM vulnerability in Windows, allows attackers to obtain login credentials when a user view a malicious file in Windows Explorer. This issue affects all Windows versions, from Windows 7 and Server 2008 R2 to the most recent Windows 11 v24H2 and Server 2025.
Attackers can exploit this flaw by using shared network folders, USB drives, or previously downloaded malicious files, making credential theft easy and difficult to detect.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fix |
| NTLM Hash Disclosure Vulnerability | Not Yet Assigned | Windows OS and Windows Server | High | Unofficial micropatch available via 0patch |
Technical Summary
This vulnerability enables attackers to steal NTLM authentication credentials simply by having users view a malicious file in Windows Explorer. Unlike previous NTLM relay attack techniques that required users to execute files, this exploit works just by rendering the malicious file’s metadata in the Windows Explorer preview pane. Attackers can leverage this method in various ways:
- Hosting a shared network folder containing the malicious file.
- Distributing infected USB drives that trigger the attack when inserted.
- Tricking users into downloading the malicious file from a compromised or attacker-controlled website.
Once the credentials are captured, attackers can use NTLM relay attacks to gain unauthorized access to internal systems, escalate privileges, and move laterally across the network.
| CVE ID | System Affected | Vulnerability Technical Details | Impact |
| Not Assigned Yet | Windows 7 – Windows 11 v24H2, Server 2008 R2 – Server 2025 | Attackers can capture NTLM credentials when users view malicious files in Windows Explorer. Exploitation methods include shared folders, USB drives, or downloads. | Credential theft, network compromise, and potential lateral movement. |
Recommendations
- Microsoft Patch Awaited: The vulnerability has been reported to Microsoft, and an official security update is expected in the near future.
- Unofficial Micropatch Available: Security researchers at 0patch have released an unofficial micropatch that mitigates this issue. The micropatch is available for all affected Windows versions and will remain free until an official fix is provided by Microsoft.
Steps to Apply 0patch Micropatch:
- Create a free account on 0patch Central.
- Install and register the 0patch Agent on affected systems.
- The micropatch is applied automatically without requiring a system reboot.
Security Best Practices
- Disable NTLM authentication where possible.
- Implement SMB signing to prevent relay attacks.
- Restrict access to public-facing servers like Exchange to limit credential relaying risks.
- Educate users to avoid interacting with unknown or suspicious files in shared folders and USB drives.
Conclusion
Although not classified as critical, this NTLM credential theft vulnerability is extremely harmful due to its ease of exploitation. Attackers can exploit NTLM hashes in relay attacks to compromise internal network resources.
Security researchers confirm that comparable flaws have been actively exploited in real-world assaults. Until an official Microsoft patch is available, organizations should prioritize applying the 0patch micropatch and following NTLM security best practices to reduce potential risks.
References:
- https://cybersecuritynews.com/new-windows-zero-day-vulnerability/
- https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html