A newly identified zero-day vulnerability has emerged within the Windows operating system, affecting a wide range of versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025. This vulnerability poses a significant risk as it enables attackers to acquire NTLM credentials by deceiving users into opening malicious files within Windows Explorer. Microsoft has been informed of the issue, and while it currently lacks a designated CVE number, an unofficial patch is accessible through 0patch until an official resolution is provided.
Vulnerability Details
The flaw bears similarities to previously identified vulnerabilities in URL files, such as CVE-2025-21377, which allowed for the exploitation of NTLM hash disclosures. However, this particular vulnerability stands apart and has not garnered extensive discussion in public forums. To exploit this vulnerability, an attacker must either have network access to the victim’s system or possess a method to relay the stolen credentials, potentially through a publicly exposed Exchange server. While not classified as critical, this NTLM-related vulnerability has been leveraged in real-world attacks.
In response to this threat, 0patch, a security patching service, has developed and distributed micropatches for the vulnerability. These patches are available for all affected Windows versions, including both legacy and currently supported systems, at no cost until Microsoft issues an official fix. The micropatches have already been deployed to computers managed by 0patch Agent within PRO or Enterprise accounts, ensuring immediate protection without necessitating manual intervention or system reboots.
Impact and Other Vulnerabilities
This marks the fourth zero-day vulnerability reported by 0patch in a relatively short timeframe. Previous vulnerabilities include those found in Windows Theme files, which Microsoft subsequently addressed as CVE-2025-21308, and the Mark of the Web issue on Server 2012, which remains unresolved. Furthermore, several NTLM-related vulnerabilities have been classified as “wont fix” by Microsoft, with 0patch providing patches for these as well. Notable examples include PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, all of which impact updated Windows versions.
For organizations still utilizing NTLM authentication, implementing protective measures against these vulnerabilities is essential. 0patch offers a robust solution by supplying patches for both zero-day and “wont fix” vulnerabilities, making it particularly beneficial for legacy systems that no longer receive official security updates from Microsoft. Users can easily create a free account with 0patch to initiate a trial, ensuring automatic protection without the need for manual configuration.
As new vulnerabilities continue to surface, the reliance on third-party patching services becomes increasingly vital to address security gaps, especially for unsupported Windows versions. With 0patch, users can fortify their systems against both known and emerging threats, maintaining security while awaiting vendor fixes. This proactive approach is crucial as attackers persist in exploiting unpatched vulnerabilities to compromise user credentials and systems. While the specific CVE identifier for this vulnerability is yet to be assigned, users are encouraged to stay vigilant and monitor security advisories from Microsoft for updates. In the meantime, leveraging patches from reputable sources like 0patch can offer interim protection against such threats.
Patch Availability
Micropatches are currently available for the following Windows versions:
- Legacy Windows versions: Windows 11 v21H2, Windows 10 (all versions back to v1803), Windows 7, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 R2.
- Currently supported Windows versions: Windows 11 v24H2, Windows 11 v23H2, Windows 11 v22H2, Windows 10 v22H2, Windows Server 2025, Windows Server 2022, Windows Server 2019, and Windows Server 2016.
These patches will remain free until an official fix from Microsoft is released, underscoring the importance of proactive security measures in safeguarding against credential theft and system exploitation.
