Zero-day vulnerability in Windows results in NTLM hash leaks

NTLM is widely used in NTLM relay attacks (hackers coerce vulnerable network devices to authenticate to servers under their control) and in pass-the-hash attacks (vulnerabilities are exploited to steal NTLM hashes).

After such attacks, cybercriminals typically use stolen hashes to authenticate on behalf of compromised users to gain access to sensitive data and perform lateral movement on the network.

This is why Microsoft announced last year that the NTLM authentication protocol won’t be supported in future versions of Windows 11.

This week, Acros Security reported the discovery of a SCF File NTLM Hash Disclosure Vulnerability (zero-day) resulting in NTLM hash leaks. The issue was identified while patching another vulnerability also related to hash disclosure.

The new zero-day vulnerability doesn’t have a CVE identifier yet. The bug affects all versions of Windows: from Windows 7 to the latest versions of Windows 11 and from Server 2008 R2 to Server 2025.

” The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page. While these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks,” – Mitja Kolsek, Acros Security CEO.

No further details of the newly-discovered vulnerability were disclosed to minimize potential exploitation risks. Experts have already submitted all the information to Microsoft, and its engineers are already working on a fix.

Acros Security has already issued unofficial micropatches for all versions of Windows; they can be applied pending the release of an official patch fixing this bug. The free micropatches are available to users of the 0patch service.

To remind, 0patch by Acros Security is a platform designed specifically to protect users against 0day and ‘wont fix’ vulnerabilities and maintain legacy products no longer supported by their manufacturers.

According to Microsoft, the company is aware of the newly-discovered security hole, and it takes all required steps to protect its customers.