Analysis Summary

A newly discovered zero-day vulnerability affects all Windows versions from Windows 7 and Server 2008 R2 to Windows 11 v24H2 and Server 2025. This flaw allows attackers to capture users' NTLM authentication credentials simply by having them view a malicious file in Windows Explorer. The attack can be triggered through various means, including opening a shared folder, inserting a USB drive with the file, or even browsing a directory where the file was previously downloaded. This vulnerability shares attack similarities with the previously patched CVE-2025-21377 but stems from a different, undisclosed technical issue.

While Microsoft has yet to release an official patch, security researchers confirm the vulnerability is actively exploited in real-world attacks. Although it is not classified as critical, the flaw is dangerous in environments where attackers already have network access or can relay stolen credentials via public-facing servers like Microsoft Exchange. Security teams have reported the issue to Microsoft, and temporary mitigation is available through micropatches from 0patch. These patches are free until Microsoft provides a permanent fix.

The security researchers responsible for this discovery have previously identified several major vulnerabilities, including the Windows Theme file issue (CVE-2025-21308), a Mark of the Web issue in Server 2012 (still unpatched), and the URL File NTLM Hash Disclosure Vulnerability (CVE-2025-21377). Additionally, the “EventLogCrasher” vulnerability, which allows attackers to disable Windows event logging across domain computers, remains unresolved. This latest NTLM credential theft flaw adds to a growing list of security concerns that require urgent attention from Microsoft.

The temporary micropatches cover a wide range of affected Windows versions, including both legacy and currently supported editions. The patches are automatically deployed to systems with the 0patch Agent installed under PRO or Enterprise accounts, requiring no system reboots. Users can protect their systems by creating a free 0patch Central account, starting a trial, and installing the 0patch Agent to receive immediate protection while awaiting Microsoft's official security update.

Impact

• Sensitive Credentials Theft
• Remotely Gain Access

Remediation

• Install the free micropatches from 0patch to temporarily mitigate the vulnerability until Microsoft releases an official fix.
• Restrict NTLM authentication where possible and enforce stricter authentication protocols like Kerberos.
• Avoid opening unknown or suspicious files, especially from shared folders, USB drives, or downloaded locations.
• Use endpoint security solutions and SIEM tools to detect unusual NTLM authentication attempts.
• Limit access to critical systems and prevent attackers from moving laterally within the network.
• Regularly check for updates from Microsoft and apply the official patch as soon as it becomes available.
• These protocols are often used in NTLM relay attacks and should be disabled unless necessary.
• Reduce the risk of credential theft by enforcing MFA wherever feasible.