
NTLM is widely used in NTLM relay attacks (hackers coerce vulnerable network devices to authenticate to servers under their control) and in pass-the-hash attacks (vulnerabilities are exploited to steal NTLM hashes).
After such attacks, cybercriminals typically use stolen hashes to authenticate on behalf of compromised users to gain access to sensitive data and perform lateral movement on the network.
This is why Microsoft announced last year that the NTLM authentication protocol won’t be supported in future versions of Windows 11.
This week, Acros Security reported the discovery of a SCF File NTLM Hash Disclosure Vulnerability (zero-day) resulting in NTLM hash leaks. The issue was identified while patching another vulnerability also related to hash disclosure.
The new zero-day vulnerability doesn’t have a CVE identifier yet. The bug affects all versions of Windows: from Windows 7 to the latest versions of Windows 11 and from Server 2008 R2 to Server 2025.
” The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page. While these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks,” – Mitja Kolsek, Acros Security CEO.
No further details of the newly-discovered vulnerability were disclosed to minimize potential exploitation risks. Experts have already submitted all the information to Microsoft, and its engineers are already working on a fix.
Acros Security has already issued unofficial micropatches for all versions of Windows; they can be applied pending the release of an official patch fixing this bug. The free micropatches are available to users of the 0patch service.
To remind, 0patch by Acros Security is a platform designed specifically to protect users against 0day and ‘wont fix’ vulnerabilities and maintain legacy products no longer supported by their manufacturers.
According to Microsoft, the company is aware of the newly-discovered security hole, and it takes all required steps to protect its customers.

2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →