InfoSecBulletin Cybersecurity for mankind
Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving targets into opening malicious files in Windows Explorer.
NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords).
NVIDIA Releases Security Update For GPU Driver Vulnerabilities
‘SessionShark’ ToolKit Bypasses Microsoft Office 365 MFA
159 CVEs Exploited in Q1 2025 : 28.3% Within 24 Hours of Disclosure
NVIDIA NeMo Framework Vuln Allow Attackers RCE
Cisco Issued Urgent Security Advisories For Multiple Products
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
Attackers use stolen hashes to impersonate compromised users, accessing sensitive data and moving laterally within the network. Last year, Microsoft announced plans to phase out the NTLM authentication protocol in future Windows 11 versions.
ACROS Security researchers found a new vulnerability that discloses SCF File NTLM hashes while working on patches for another issue. This zero-day, which has not yet received a CVE-ID, impacts all Windows versions from Windows 7 to Windows 11, as well as Server 2008 R2 to Server 2025.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” said ACROS Security CEO Mitja Kolsek on Tuesday.
“Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks.”
Micropatches available for all 0patch users:
ACROS Security offers free, unofficial micropatches for this vulnerability to all Windows users until Microsoft provides official fixes.
“We reported this issue to Microsoft, and – as usual – issued micropatches for it that will remain free until Microsoft has provided an official fix,” Kolsek added. “We are withholding details on this vulnerability until Microsoft’s fix becomes available to minimize the risk of malicious exploitation.”
To install the micropatch on your Windows PC, create an account and install the 0patch agent. The agent will automatically apply the micropatch without needing a system restart, unless a custom patching policy prevents it.
A Microsoft spokesperson told, “We’re aware of this report and will take action as needed to help keep customers protected.”
Source: 0patch, BleepingComputer
