New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials – Unofficial Patch

A critical vulnerability affecting all Windows operating systems from Windows 7 and Server 2008 R2 through the latest Windows 11 v24H2 and Server 2025. 

This zero-day flaw enables attackers to capture users’ NTLM authentication credentials simply by having them view a malicious file in Windows Explorer. 

The vulnerability can be triggered when opening a shared folder, inserting a USB drive containing the malicious file, or even viewing a Downloads folder where such a file was previously downloaded from an attacker’s website.

NTLM Vulnerability Exploited in Attacks

The newly discovered vulnerability shares similar attack scenarios with a previously patched URL file flaw (CVE-2025-21377),

though the underlying technical issue differs and has not been publicly documented before. 

While security researchers are withholding specific exploitation details until Microsoft releases an official patch, they confirm the vulnerability allows for credential theft through malicious file interaction.

Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks

Although not classified as critical, this NTLM credential theft vulnerability remains dangerous, particularly in environments where attackers have already gained network access or can target public-facing servers like Exchange to relay stolen credentials. 

Security intelligence confirms these types of vulnerabilities have been actively exploited in real-world attacks.

Micropatch Availability

The security team has reported this vulnerability to Microsoft according to responsible disclosure practices. 

While awaiting an official fix, they have developed and released micropatches available via 0patch that will temporarily mitigate the issue. These micropatches will remain free until Microsoft implements a permanent solution.

This represents the fourth zero-day vulnerability recently discovered by the same research team following:

• Windows Theme file issue (patched as CVE-2025-21308)
• Mark of the Web issue on Server 2012 (still unpatched)
• URL File NTLM Hash Disclosure Vulnerability (patched as CVE-2025-21377)

Additionally, the “EventLogCrasher” vulnerability reported in January 2024, which allows attackers to disable Windows event logging across domain computers, remains unpatched by Microsoft.

The temporary security patches support a comprehensive range of Windows versions, including:

Legacy Windows versions:

• Windows 11 v21H2 and older Windows 10 versions (v21H2, v21H1, v20H2, etc.).
• Windows 7 with various Extended Security Update (ESU) statuses.
• Windows Server 2012/2012 R2/2008 R2 with different ESU configurations.

Currently supported Windows versions:

• Windows 11 (v24H2, v23H2, v22H2)
• Windows 10 v22H2
• Windows Server 2025, 2022, 2019, and 2016
• Windows Server 2012/2012 R2 with ESU 2

The micropatches have already been automatically distributed to affected systems with the 0patch Agent installed under PRO or Enterprise accounts.

To implement these protective measures, new users should create a free account in 0patch Central, start the available trial, and install and register the 0patch Agent. 

The process requires no system reboots, and patch deployment occurs automatically, providing immediate protection against this zero-day vulnerability while awaiting Microsoft’s official fix.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials – Unofficial Patch appeared first on Cyber Security News.