
A newly discovered zero-day vulnerability in Windows enables threat actors to steal users’ NTLM hashes simply by luring them into opening a malicious file in File Explorer.
The flaw, identified by researchers at ACROS Security, has yet to receive an official CVE designation but is already considered dangerous. It affects all versions of Windows, from Windows 7 to the latest builds of Windows 11, including server editions ranging from Server 2008 R2 to Server 2025.
At its core, the vulnerability permits the leakage of NTLM credentials when a user merely views a folder containing a specially crafted SCF file. In practice, this means that upon opening a USB drive, a network share, or even a local Downloads directory—where such a file might have been silently saved from a malicious web page—the NTLM hash is automatically transmitted to an external server.
NTLM has long been exploited in NTLM relay and pass-the-hash attacks, where adversaries compel a device to authenticate against a controlled server, intercept the password hash, and reuse it to impersonate the victim. This allows attackers to infiltrate restricted network segments, gain access to sensitive information, and escalate the breach further.
Though vulnerabilities of this kind are not typically deemed critical—owing to factors such as the need for internal network access or an external relay point—they remain actively exploited in real-world attacks. Similar methods have already been employed against public-facing services, including Microsoft Exchange servers.
The company has released unofficial, complimentary patches via its proprietary 0patch micro-patching service. These fixes are available for all supported versions of Windows. Once initiated, the 0patch agent applies the necessary patch automatically and without requiring a system reboot—provided that local security policies permit it.
ACROS has submitted a detailed vulnerability report to Microsoft, but in accordance with responsible disclosure practices, technical specifics will remain undisclosed until an official update is issued. Microsoft has confirmed receipt of the report and pledged to take appropriate steps to safeguard its users.