Introduction
A critical zero-day vulnerability has been identified in all supported versions of Windows [3] [4], affecting the NTLM security protocols. This vulnerability allows attackers to capture NTLM credentials with minimal user interaction [1], posing significant security risks. Microsoft plans to release an official patch, but in the meantime, free micropatches are available to mitigate the threat.
Description
A critical zero-day vulnerability has been confirmed [2] [3] [4] [9], affecting all supported versions of Windows [3] [9], from Windows 7 and Server 2008 R2 to Windows 11 (v24H2) and Server 2022 [5] [6] [8]. This flaw targets the Windows NT LAN Manager (NTLM) [9], a suite of Microsoft security protocols responsible for user authentication [9], integrity [9], and confidentiality [9]. Attackers can exploit this vulnerability to capture NTLM credentials with minimal user interaction by tricking users into viewing a specifically crafted malicious file in the Windows Explorer file management utility. This zero-click exploit triggers an outbound NTLM connection to a remote share [2], leading to the automatic transmission of the logged-in user’s NTLM hashes [8], which can subsequently be cracked to reveal plaintext usernames and passwords [8]. Notably, exploiting this vulnerability does not require the user to open or execute the file [6], making it particularly dangerous [6]. Mitja Kolsek [3], CEO of ACROS Security [3], emphasized that the ease of exploitation varies based on several factors, complicating the identification of exploitable instances without attempting to exploit them [3].
Microsoft has classified the vulnerability as having moderate severity and plans to release an official patch in April [3]. Currently, there is no official patch or Common Vulnerabilities and Exposures (CVE) allocation for this vulnerability [9]. In the meantime, researchers have developed and released free micropatches via the 0patch platform to protect users until the official fix is available. These micropatches cover various Windows versions—including Windows 10 (v22H2) [5], Windows 11 (versions 22H2, 23H2 [5], and 24H2) [5], and multiple Server editions—and can be applied seamlessly without requiring system reboots. However, it is advised to test the micropatch on non-critical devices before broader deployment [8], as it may disrupt legitimate NTLM networking [8]. Organizations using the 0patch Agent can implement these fixes immediately [5].
This is the third NTLM credential leak zero-day reported by ACROS to Microsoft since October [3], following previous issues related to a Windows Themes spoofing problem and a “Mark of the Web” vulnerability on Server 2012, both of which are still awaiting official patches [6]. Additionally, three known NTLM-related vulnerabilities—PetitPotam [5], PrinterBug/SpoolSample [3] [5], and DFSCoerce—remain unpatched and continue to pose risks to organizations using NTLM authentication [5].
While Microsoft deprecated support for the NTLM authentication protocol in June 2023 [7], advising users to upgrade to the Kerberos authentication protocol in future Windows 11 versions, modern NTLM vulnerabilities still target these systems [7], particularly older versions like Windows 7 [7], which will not receive patches [7]. Windows 10 is also at risk as its support ends in October 2024 [7], increasing the likelihood of unpatched vulnerabilities. 0patch has committed to providing ongoing security updates for unsupported Windows versions [5], including Windows 10 [4] [5] [6], even after its end-of-support date in October 2025 [5], ensuring continued protection against emerging threats [5]. Although no attacks exploiting this NTLM vulnerability have been reported in the wild yet [7], existing security solutions may help mitigate risks [7], underscoring the urgency for Microsoft to release official patches for this and other vulnerabilities [7]. Users are advised to implement available micropatches and exercise caution with files from untrusted sources [6], emphasizing the need for robust security practices and monitoring for suspicious activity [6].
Conclusion
The discovery of this zero-day vulnerability in Windows NTLM protocols highlights the ongoing security challenges faced by organizations relying on outdated authentication methods. While Microsoft is working on an official patch, the availability of micropatches provides a temporary safeguard. Organizations must remain vigilant, apply available patches, and transition to more secure authentication protocols like Kerberos to mitigate future risks. Continued monitoring and adherence to robust security practices are essential to protect against potential exploits.
References
[1] https://www.techepages.com/windows-zero-day-attackers-can-steal-ntlm-credentials-with-little-user-interaction/
[2] https://innovatecybersecurity.com/security-threat-advisory/weekly-top-10-12-9-2024-new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch-supply-chain-attack-detected-in-solanas-web3-js-library-snowblind-the-invisible-hand-of-secre/
[3] https://www.darkreading.com/application-security/microsoft-ntlm-zero-day-remain-unpatched-april
[4] https://www.neowin.net/news/all-windows-11-10-server-versions-affected-by-a-new-zero-day-unofficial-patch-out/
[5] https://cybersecuritynews.com/windows-zero-day-vulnerability/
[6] https://gbhackers.com/windows-ntlm-zero-day-vulnerability/
[7] https://www.tomshardware.com/tech-industry/cyber-security/zero-day-windows-ntlm-hash-vulnerability-gets-patched-by-third-party-credentials-can-be-hijacked-by-merely-viewing-a-malicious-file-in-file-explorer
[8] https://fieldeffect.com/blog/microsoft-investigates-potential-new-windows-zero-day-vulnerability
[9] https://www.forbes.com/sites/daveywinder/2024/12/07/new-windows-7-to-11-warning-as-zero-day-with-no-official-fix-strikes/
