Critical Windows Zero-Day Vulnerability Enables NTLM Credential Theft

A new zero-day vulnerability affecting all supported versions of Microsoft Windows has been discovered that allows attackers to steal NTLM (New Technology LAN Manager) credentials with minimal user interaction. The vulnerability was identified and reported to Microsoft by security researchers at 0patch, though no official CVE identifier has been assigned yet.

 Impact

This vulnerability affects all Windows versions from Windows 7 through Windows 11 (v24H2), including:

• Windows 7 and Server 2008 R2
• Windows 10 (all versions)
• Windows 11 (all versions through 24H2)
• Windows Server 2012/2012 R2
• Windows Server 2016/2019/2022

How the Exploit Works 

What makes this vulnerability particularly concerning is the minimal user interaction required. The exploit can be triggered simply by:

• Viewing a malicious file in Windows Explorer
• Opening a shared folder containing the malicious file
• Accessing a USB drive containing the malicious file
• Viewing a Downloads folder where the malicious file was automatically downloaded

 

When triggered, the exploit forces an outbound NTLM connection that causes Windows to send NTLM hashes for the logged-in user. These credential hashes can potentially be cracked to reveal plaintext passwords, allowing attackers to gain unauthorized access to networks and sensitive data.

 Recommended Mitigation Steps

While Microsoft investigates the vulnerability, organizations should consider implementing these temporary mitigation measures:

1. Disable NTLM authentication where possible through Group Policy:
   • Navigate to Security Settings > Local Policies > Security Options
   • Configure “Network security: Restrict NTLM” policies
2. Exercise increased caution when:
   • Accessing shared folders
   • Connecting USB drives
   • Downloading files from the internet
3. Consider implementing the unofficial micropatch available from 0patch until an official Microsoft fix is released

 

 Current Status

Microsoft has acknowledged they are investigating the report and will “take action as needed to help keep customers protected.” However, there is currently no official patch available or CVE identifier assigned to this vulnerability.

 How CinchOps Can Help

Our security team is actively monitoring this situation and can assist your organization with:

• Implementing recommended mitigations
• Reviewing NTLM authentication configurations
• Monitoring for potential exploitation attempts
• Deploying temporary fixes across your environment

 

We will continue to track this vulnerability and provide updated guidance as new information becomes available from Microsoft and the security research community. Contact your CinchOps representative for immediate assistance or questions about protecting your environment from this threat.

Stay tuned to our security advisories for the latest updates on this developing situation.

 

Let us know if you would like to be notified as updates become available.