Windows zero-day: attackers can steal NTLM credentials with little user interaction


All Windows Workstation and Server versions from 7 to the latest 11 v24H2 and Server 2022 are affected by a zero-day vulnerability, researchers from 0patch warn.

Attackers can exploit the vulnerability by crafting a malicious file and tricking users into opening a folder containing it.

“The vulnerability allows an attacker to obtain a user's NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page,” 0patch researcher Mitja Kolsek said.

ADVERTISEMENT

NTLM (New Technology LAN Manager) is Microsoft's built-in authentication system, which has been largely replaced by more modern solutions like Kerberos.

NTLM remains in use for compatibility with legacy systems and applications. The suite of security protocols provides authentication, integrity, and confidentiality to users when accessing network resources such as shared files or printers. However, attackers can use the credentials to potentially gain unauthorized access to company networks and sensitive data.

“We are investigating this report and will take action as needed to help keep customers protected,” a Microsoft spokesperson said.

0patch is a service by a security firm ACROS Security that keeps delivering security updates to Windows after Microsoft stops supporting older OS versions.

The firm reported the issue to Microsoft and issued a free, unofficial micro patch. Microsoft has yet to provide an official fix.

“We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation,” the researcher said.

This is the third zero-day recently found and reported to Microsoft by 0patch, after the Windows Themes Spoofing vulnerability and the Mark of the Web issue affecting Server 2012.

Konstancija Gasaityte profile Niamh Ancell BW Ernestas Naprys Gintaras Radauskas
Get our latest stories today on Google News
ADVERTISEMENT

According to the firm, all three flaws have no official fixes, as well as another “EventLogCrasher” flaw, discovered by researcher Florian, which enables attackers to disable all Windows event logging on all domain computers.

0patch warns organizations that are using NTLM “for any reason” that they can be affected by three other vulnerabilities that Microsoft decided not to patch.

“Vulnerabilities like these get discovered on a regular basis, and attackers know about them all,” the firm said.

0patch claims to have patches for both legacy Windows versions and those still receiving Windows Updates. The firm plans to “security-adopt” Windows 10 as it reaches end-of-life in October 2025.

Cybernews has reached out to Microsoft and will include its response.

Updated on December 9th [07:40 a.m. GMT] with a statement from Microsoft.