
NTLM is widely used in NTLM relay attacks (hackers coerce vulnerable network devices to authenticate to servers under their control) and in pass-the-hash attacks (vulnerabilities are exploited to steal NTLM hashes).
After such attacks, cybercriminals typically use stolen hashes to authenticate on behalf of compromised users to gain access to sensitive data and perform lateral movement on the network.
This is why Microsoft announced last year that the NTLM authentication protocol won’t be supported in future versions of Windows 11.
This week, Acros Security reported the discovery of a SCF File NTLM Hash Disclosure Vulnerability (zero-day) resulting in NTLM hash leaks. The issue was identified while patching another vulnerability also related to hash disclosure.
The new zero-day vulnerability doesn’t have a CVE identifier yet. The bug affects all versions of Windows: from Windows 7 to the latest versions of Windows 11 and from Server 2008 R2 to Server 2025.
” The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page. While these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks,” – Mitja Kolsek, Acros Security CEO.
No further details of the newly-discovered vulnerability were disclosed to minimize potential exploitation risks. Experts have already submitted all the information to Microsoft, and its engineers are already working on a fix.
Acros Security has already issued unofficial micropatches for all versions of Windows; they can be applied pending the release of an official patch fixing this bug. The free micropatches are available to users of the 0patch service.
To remind, 0patch by Acros Security is a platform designed specifically to protect users against 0day and ‘wont fix’ vulnerabilities and maintain legacy products no longer supported by their manufacturers.
According to Microsoft, the company is aware of the newly-discovered security hole, and it takes all required steps to protect its customers.

2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →