A critical vulnerability has emerged, affecting a wide range of Windows operating systems, from the venerable Windows 7 and Server 2008 R2 to the latest iterations, including Windows 11 v24H2 and Server 2025. This zero-day flaw poses a significant risk, enabling attackers to capture users’ NTLM authentication credentials through seemingly innocuous interactions with malicious files in Windows Explorer.
The vulnerability can be exploited in various scenarios, such as when users open a shared folder, insert a USB drive containing the malicious file, or even simply view a Downloads folder where the file was previously downloaded from an attacker’s website.
NTLM Vulnerability Exploited in Attacks
This newly identified vulnerability shares attack vectors reminiscent of a previously patched URL file flaw (CVE-2025-21377). However, the technical underpinnings of this issue differ and have not been publicly documented until now. Security researchers are currently withholding specific details on exploitation methods until Microsoft issues an official patch. Nevertheless, it is confirmed that the vulnerability facilitates credential theft through interaction with malicious files.
In a proactive approach to cybersecurity, organizations are encouraged to deploy advanced detection systems powered by a 97% precise neural network designed to Detect Cyber Attacks. While this NTLM credential theft vulnerability is not classified as critical, it remains a serious concern, particularly in environments where attackers have already gained network access or can target public-facing servers like Exchange to relay stolen credentials. Security intelligence indicates that such vulnerabilities have been actively exploited in real-world scenarios.
Micropatch Availability
The security team has responsibly disclosed this vulnerability to Microsoft and is currently awaiting an official fix. In the interim, they have developed and released micropatches through 0patch, which provide a temporary mitigation for the issue. These micropatches will be available free of charge until Microsoft implements a permanent solution.
This marks the fourth zero-day vulnerability recently identified by the same research team, following:
- Windows Theme file issue (patched as CVE-2025-21308)
- Mark of the Web issue on Server 2012 (still unpatched)
- URL File NTLM Hash Disclosure Vulnerability (patched as CVE-2025-21377)
Additionally, the “EventLogCrasher” vulnerability reported in January 2024, which allows attackers to disable Windows event logging across domain computers, remains unaddressed by Microsoft.
The temporary security patches support a comprehensive range of Windows versions, including:
Legacy Windows versions:
- Windows 11 v21H2 and older Windows 10 versions (v21H2, v21H1, v20H2, etc.)
- Windows 7 with various Extended Security Update (ESU) statuses
- Windows Server 2012/2012 R2/2008 R2 with different ESU configurations
Currently supported Windows versions:
- Windows 11 (v24H2, v23H2, v22H2)
- Windows 10 v22H2
- Windows Server 2025, 2022, 2019, and 2016
- Windows Server 2012/2012 R2 with ESU 2
The micropatches have already been automatically distributed to affected systems with the 0patch Agent installed under PRO or Enterprise accounts. New users looking to implement these protective measures can create a free account in 0patch Central, initiate the available trial, and install and register the 0patch Agent. This process requires no system reboots, and patch deployment occurs automatically, ensuring immediate protection against this zero-day vulnerability while awaiting Microsoft’s official resolution.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
