InfoSecBulletin Cybersecurity for mankind
Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving targets into opening malicious files in Windows Explorer.
NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords).
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CIRT alert Situational Awareness for Eid Holidays
Cyberattack on Malaysian airports: PM rejected $10 million ransom
Micropatches released for Windows zero-day leaking NTLM hashes
VMware Patches Authentication Bypass Flaw in Windows Tool
IngressNightmare
Over 40% of cloud environments are vulnerable to RCE
(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass
Oracle refutes breach after hacker claims 6 million data theft
Russian zero-day seller to offer up to $4 million for Telegram exploits
Attackers use stolen hashes to impersonate compromised users, accessing sensitive data and moving laterally within the network. Last year, Microsoft announced plans to phase out the NTLM authentication protocol in future Windows 11 versions.
ACROS Security researchers found a new vulnerability that discloses SCF File NTLM hashes while working on patches for another issue. This zero-day, which has not yet received a CVE-ID, impacts all Windows versions from Windows 7 to Windows 11, as well as Server 2008 R2 to Server 2025.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” said ACROS Security CEO Mitja Kolsek on Tuesday.
“Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks.”
Micropatches available for all 0patch users:
ACROS Security offers free, unofficial micropatches for this vulnerability to all Windows users until Microsoft provides official fixes.
“We reported this issue to Microsoft, and – as usual – issued micropatches for it that will remain free until Microsoft has provided an official fix,” Kolsek added. “We are withholding details on this vulnerability until Microsoft’s fix becomes available to minimize the risk of malicious exploitation.”
To install the micropatch on your Windows PC, create an account and install the 0patch agent. The agent will automatically apply the micropatch without needing a system restart, unless a custom patching policy prevents it.
A Microsoft spokesperson told, “We’re aware of this report and will take action as needed to help keep customers protected.”
Source: 0patch, BleepingComputer
