New Windows zero-day leaks NTLM hashes, gets unofficial patch

Free unofficial patches are available for a new Windows zero-day vulnerability that can let remote attackers steal NTLM credentials by tricking targets into viewing malicious files in Windows Explorer.

NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords).

Attackers then use the stolen hash to authenticate as the compromised user, gaining access to sensitive data and spreading laterally on the network. Last year, Microsoft announced plans to retire the NTLM authentication protocol in future Windows 11 versions.

ACROS Security researchers discovered the new SCF File NTLM hash disclosure vulnerability while developing patches for another NTLM hash disclosure issue. This new zero-day hasn't been assigned a CVE-ID and affects all versions of Windows, from Windows 7 up to the latest Windows 11 releases and from Server 2008 R2 to Server 2025.

"The vulnerability allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page," said ACROS Security CEO Mitja Kolsek on Tuesday.

"Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim's network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks."

Micropatches available for all 0patch users

ACROS Security now provides free and unofficial security patches for this zero-day flaw through its 0Patch micropatching service for all affected Windows versions until Microsoft releases official fixes.

"We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix," Kolsek added. "We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation."

To install the micropatch on your Windows PC, create an account and install the 0patch agent. Once launched, the agent applies the micropatch automatically without requiring a system restart if there is no custom patching policy to block it.

In recent months, 0patch has reported three other zero-day vulnerabilities that Microsoft patched or has yet to address, including a Windows Theme bug (patched as CVE-2025-21308), a Mark of the Web bypass on Server 2012 (still a zero-day without an official patch), and an URL File NTLM Hash Disclosure Vulnerability (patched as CVE-2025-21377).

0patch has also disclosed other NTLM hash disclosure flaws in the past, like PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, which are yet to receive a patch.

A Microsoft spokesperson couldn't immediately provide a statement when contacted by BleepingComputer earlier today.