Security experts have reported a new zero-day vulnerability in Windows that allows remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows Explorer.
NTLM is widely used in NTLM relay attacks, where hackers force vulnerable network devices to authenticate to servers they control, and in pass-the-hash attacks, where vulnerabilities are exploited to steal NTLM hashes.
Following such attacks, attackers typically use the stolen hash to authenticate as the compromised user, gaining access to sensitive data and moving laterally across the network.
For these reasons, last year Microsoft announced plans to deprecate the NTLM authentication protocol in future versions of Windows 11.
This week, Acros Security warned about the discovery of a vulnerability in SCF File that allows NTLM hashes to leak. The problem was discovered while patches were being developed for another vulnerability that also involved hash disclosure.
The new 0-day has not yet been assigned a CVE identifier. The issue is known to affect all versions of Windows, from Windows 7 to the latest versions of Windows 11, as well as from Server 2008 R2 to Server 2025.
"This vulnerability allows an attacker to obtain NTLM credentials by tricking a user into viewing a malicious file in Windows Explorer - for example, by opening a shared folder or USB drive containing the file, or by viewing the Downloads folder where the file was previously automatically downloaded from the attacker's web page," says Acros Security CEO Mitja Kolsek. "While such vulnerabilities are not critical and their exploitation depends on a number of conditions (for example, the attacker is already on the victim's network or has an external target, such as a public Exchange server, to which the stolen credentials can be transferred), they have already been used in real attacks."
More detailed information about the vulnerability is not yet disclosed in order to minimize the risks of possible exploitation. Experts have already passed all the information to Microsoft developers, and the company's engineers are already working on a fix.
The company has also already prepared unofficial micropatches for all versions of Windows, which can be used until Microsoft closes the bug with an official patch. Free micropatches are already available to users of the 0patch service.
Let us remind you that 0patch is an Acros Security platform designed specifically for such situations, i.e. fixing 0-day and other unpatched vulnerabilities, supporting products that are no longer supported by the manufacturers themselves, updating custom software, and so on.
"We are aware of the report [of this vulnerability] and will take all necessary steps to ensure the protection of our customers," Microsoft representatives told the media.