New Windows zero-day leaks NTLM hashes, gets unofficial patch

In a significant development for Windows users, a newly discovered zero-day vulnerability has emerged, allowing remote attackers to potentially steal NTLM credentials. This flaw can be exploited by tricking users into viewing malicious files within Windows Explorer, a method that poses a considerable risk across various Windows versions, including Windows 7 through Windows 11 and Server 2008 R2 to Server 2025.

The vulnerability, identified by ACROS Security researchers during their work on another NTLM hash disclosure issue, has not yet been assigned a CVE-ID. Mitja Kolsek, CEO of ACROS Security, explained that the vulnerability enables attackers to obtain a user’s NTLM credentials simply by having the user open a malicious file. This could occur through various means, such as accessing a shared folder, a USB drive containing the file, or even the Downloads folder where the file may have been inadvertently downloaded from an attacker-controlled webpage.

Kolsek noted that while the exploit’s criticality is moderate and its success depends on specific conditions—such as the attacker already being within the victim’s network or targeting a public-facing server—the vulnerability has been linked to actual attacks in the wild.

Micropatches available for all 0patch users

In response to this vulnerability, ACROS Security has made available free and unofficial security patches through its 0Patch micropatching service, which caters to all affected Windows versions until Microsoft issues an official fix. Kolsek emphasized the company’s proactive approach, stating, “We reported this issue to Microsoft and, as usual, issued micropatches for it that will remain free until Microsoft has provided an official fix.” To minimize the risk of exploitation, details regarding the vulnerability are being withheld until an official resolution is released.

For users looking to install the micropatch on their Windows systems, the process is straightforward: create an account and install the 0patch agent. Once activated, the agent automatically applies the micropatch without necessitating a system restart, provided there are no custom patching policies in place that would prevent it.

In recent months, the 0patch service has also addressed three other zero-day vulnerabilities, including a Windows Theme bug (patched as CVE-2025-21308), a Mark of the Web bypass on Server 2012 (still unpatched), and an URL File NTLM Hash Disclosure Vulnerability (patched as CVE-2025-21377). Additionally, 0patch has previously disclosed other NTLM hash disclosure issues, such as PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, which remain without patches.

As the situation develops, a Microsoft spokesperson has yet to provide a statement regarding this vulnerability when contacted earlier today.

Winsage
New Windows zero-day leaks NTLM hashes, gets unofficial patch