Zero-day vulnerability in Windows results in NTLM hash leaks

📟 News

Date: 28/03/2025

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows Explorer.

NTLM is widely used in NTLM relay attacks (hackers coerce vulnerable network devices to authenticate to servers under their control) and in pass-the-hash attacks (vulnerabilities are exploited to steal NTLM hashes).

After such attacks, cybercriminals typically use stolen hashes to authenticate on behalf of compromised users to gain access to sensitive data and perform lateral movement on the network.

This is why Microsoft announced last year that the NTLM authentication protocol won’t be supported in future versions of Windows 11.

This week, Acros Security reported the discovery of a SCF File NTLM Hash Disclosure Vulnerability (zero-day) resulting in NTLM hash leaks. The issue was identified while patching another vulnerability also related to hash disclosure.

The new zero-day vulnerability doesn’t have a CVE identifier yet. The bug affects all versions of Windows: from Windows 7 to the latest versions of Windows 11 and from Server 2008 R2 to Server 2025.

” The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page. While these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks,” – Mitja Kolsek, Acros Security CEO.

No further details of the newly-discovered vulnerability were disclosed to minimize potential exploitation risks. Experts have already submitted all the information to Microsoft, and its engineers are already working on a fix.

Acros Security has already issued unofficial micropatches for all versions of Windows; they can be applied pending the release of an official patch fixing this bug. The free micropatches are available to users of the 0patch service.

To remind, 0patch by Acros Security is a platform designed specifically to protect users against 0day and ‘wont fix’ vulnerabilities and maintain legacy products no longer supported by their manufacturers.

According to Microsoft, the company is aware of the newly-discovered security hole, and it takes all required steps to protect its customers.

Related posts:
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →