A critical security vulnerability affecting all Windows versions from Windows 7 to Windows 11 24H2 has been uncovered by the 0patch security team. This zero-day flaw allows attackers to capture NTLM credentials simply by having users view a malicious file in Windows Explorer, without requiring any clicks or file execution.
The vulnerability works by triggering an outbound NTLM connection to a remote share when a user views a specially crafted file, automatically exposing NTLM hashes that attackers can potentially crack to obtain login credentials.
Key Points:
– Affects all Windows versions from Windows 7/Server 2008 R2 to Windows 11 24H2/Server 2022
– No official fix from Microsoft currently available
– Requires no user interaction beyond viewing affected files
– Can be triggered through shared folders, USB drives, or downloaded files
Mitigation Options:
1. Install 0patch’s free micropatch (available to registered users)
2. Disable NTLM authentication via Group Policy
3. Configure “Network security: Restrict NTLM” policies
This vulnerability joins other unpatched NTLM-related flaws like PetitPotam, PrinterBug, and DFSCoerce. While Microsoft plans to eventually phase out NTLM authentication in Windows 11, current systems remain vulnerable without proper mitigation measures in place.