New Windows Zero-Day Vulnerability Steals User Credentials via Themes
Researchers have uncovered a new vulnerability in the Windows operating system related to its theme settings, enabling attackers to remotely steal NTLM credentials. The issue remains prevalent across all versions of Windows—from 7 through 11—despite prior security updates.
NTLM exploitation has long been used in relay attacks, where hackers compel vulnerable devices to connect to attacker-controlled servers, gaining access to sensitive data. Microsoft has already announced its intent to phase out NTLM in future versions of Windows 11.
A researcher at ACROS Security discovered this new vulnerability while developing a micropatch for the previously identified CVE-2024-38030, which also affected theme settings and was initially described by an Akamai specialist. The flaw caused data leakage when viewing network paths in theme parameters, such as wallpapers or branding images.
The newly detected zero-day vulnerability proves particularly insidious: according to Mitja Kolsek, CEO of ACROS Security, merely displaying a malicious file in Windows Explorer is sufficient to automatically transmit user credentials, even without file execution or direct application of the theme.
A demonstration of this attack on the latest version of Windows 11, 24H2, is available in the video below:
As a temporary measure, ACROS Security recommends installing their proprietary 0patch application service to apply an unofficial security patch. Ultimately, the choice to implement this rests with each user. Regardless, Microsoft has acknowledged the issue and announced the imminent release of an official update.
While awaiting an official patch, users can employ precautionary measures suggested by Microsoft, such as blocking NTLM hash usage through Group Policy, as outlined in the CVE-2024-21320 advisory.
Kolsek clarified that the new vulnerability does not impact Windows Server in its standard configuration, as themes are not used without the additional Desktop Experience component. However, data leakage can still occur on servers if a theme is directly applied, though not merely by viewing in Explorer.