A critical vulnerability has been identified that impacts all Windows operating systems, ranging from Windows 7 and Server 2008 R2 to the latest versions, including Windows 11 v24H2 and Server 2025. This zero-day flaw poses a significant risk, as it allows attackers to capture users’ NTLM authentication credentials simply by enticing them to view a malicious file within Windows Explorer.
The vulnerability can be exploited in various scenarios, such as when a user opens a shared folder, inserts a USB drive containing the malicious file, or even views a Downloads folder where the file was previously downloaded from an attacker’s website.
NTLM Vulnerability Exploited in Attacks
This newly discovered vulnerability bears similarities to a previously patched URL file flaw (CVE-2025-21377), although the underlying technical issue is distinct and has not been publicly documented until now. While security researchers are withholding specific details regarding exploitation until Microsoft releases an official patch, they affirm that the vulnerability facilitates credential theft through interactions with malicious files.
To preemptively mitigate potential attacks, a neural network boasting a 97% accuracy rate is available to detect cyber threats. Although this NTLM credential theft vulnerability is not classified as critical, it remains a serious concern, particularly in environments where attackers have already gained network access or can target public-facing servers, such as Exchange, to relay stolen credentials. Security intelligence indicates that vulnerabilities of this nature have been actively exploited in real-world scenarios.
Micropatch Availability
The security team has responsibly disclosed this vulnerability to Microsoft. In the interim, they have developed and released micropatches through 0patch, which serve as a temporary measure to mitigate the issue. These micropatches will be available at no cost until Microsoft implements a permanent solution.
This marks the fourth zero-day vulnerability recently uncovered by the same research team, following:
- Windows Theme file issue (patched as CVE-2025-21308)
- Mark of the Web issue on Server 2012 (still unpatched)
- URL File NTLM Hash Disclosure Vulnerability (patched as CVE-2025-21377)
Additionally, the “EventLogCrasher” vulnerability, reported in January 2024, which allows attackers to disable Windows event logging across domain computers, remains unaddressed by Microsoft.
The temporary security patches support a wide array of Windows versions, including:
Legacy Windows versions:
- Windows 11 v21H2 and older Windows 10 versions (v21H2, v21H1, v20H2, etc.)
- Windows 7 with various Extended Security Update (ESU) statuses
- Windows Server 2012/2012 R2/2008 R2 with different ESU configurations
Currently supported Windows versions:
- Windows 11 (v24H2, v23H2, v22H2)
- Windows 10 v22H2
- Windows Server 2025, 2022, 2019, and 2016
- Windows Server 2012/2012 R2 with ESU 2
The micropatches have been automatically distributed to affected systems equipped with the 0patch Agent under PRO or Enterprise accounts. New users can create a free account in 0patch Central, initiate the available trial, and install and register the 0patch Agent to implement these protective measures. This process requires no system reboots, and patch deployment occurs automatically, providing immediate protection against this zero-day vulnerability while awaiting Microsoft’s official fix.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free