InfoSecBulletin Cybersecurity for mankind
Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving targets into opening malicious files in Windows Explorer.
NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords).
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
UAP hosted “UAP Cyber Siege 2025”, A national level cybersecurity competition
Attackers use stolen hashes to impersonate compromised users, accessing sensitive data and moving laterally within the network. Last year, Microsoft announced plans to phase out the NTLM authentication protocol in future Windows 11 versions.
ACROS Security researchers found a new vulnerability that discloses SCF File NTLM hashes while working on patches for another issue. This zero-day, which has not yet received a CVE-ID, impacts all Windows versions from Windows 7 to Windows 11, as well as Server 2008 R2 to Server 2025.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” said ACROS Security CEO Mitja Kolsek on Tuesday.
“Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks.”
Micropatches available for all 0patch users:
ACROS Security offers free, unofficial micropatches for this vulnerability to all Windows users until Microsoft provides official fixes.
“We reported this issue to Microsoft, and – as usual – issued micropatches for it that will remain free until Microsoft has provided an official fix,” Kolsek added. “We are withholding details on this vulnerability until Microsoft’s fix becomes available to minimize the risk of malicious exploitation.”
To install the micropatch on your Windows PC, create an account and install the 0patch agent. The agent will automatically apply the micropatch without needing a system restart, unless a custom patching policy prevents it.
A Microsoft spokesperson told, “We’re aware of this report and will take action as needed to help keep customers protected.”
Source: 0patch, BleepingComputer
