March 25, 2025 By Sergiu Gatlan
Free unofficial patches are available for a new Windows zero-day vulnerability that can let remote attackers steal NTLM credentials by tricking targets into viewing malicious files in Windows Explorer.
NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords).
Attackers then use the stolen hash to authenticate as the compromised user, gaining access to sensitive data and spreading laterally on the network. Last year, Microsoft announced plans to retire the NTLM authentication protocol in future Windows 11 versions.
ACROS Security researchers discovered the new SCF File NTLM hash disclosure vulnerability while developing patches for another NTLM hash disclosure issue. This new zero-day hasn't been assigned a CVE-ID and affects all versions of Windows, from Windows 7 up to the latest Windows 11 releases and from Server 2008 R2 to Server 2025.
"The vulnerability allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page," said ACROS Security CEO Mitja Kolsek on Tuesday.