A new zero-day vulnerability has been discovered that enables attackers to capture NTLM credentials by simply having the target view a malicious file in Windows Explorer. The flaw, which affects all Windows versions from Windows 7 to Windows 11 24H2 and Server 2022, was discovered by the 0patch team and reported to Microsoft. However, no official fix has been released.
The attack works by causing an outbound NTLM connection when the user views a specially crafted file in File Explorer, such as a file from a shared folder or USB disk. This triggers Windows to send NTLM hashes for the logged-in user, which attackers can capture and crack to gain access to login credentials.
0patch has developed an unofficial micropatch to mitigate the issue until Microsoft releases an official fix. Users can apply this patch by registering on the 0patch platform. Those who prefer not to use the micropatch can disable NTLM authentication via Group Policy or registry modifications. This is the third unaddressed vulnerability reported by 0patch, highlighting ongoing concerns with NTLM-related flaws in Windows.
The discovered NTLM vulnerability poses a significant security risk, allowing attackers to capture credentials through malicious files in Windows Explorer. While Microsoft has not yet released an official fix, 0patch provides an interim solution. This issue highlights ongoing concerns about NTLM-related flaws in Windows, requiring urgent attention and action.