A new zero-day vulnerability has been discovered in Windows that allows attackers to capture NTLM credentials by simply tricking the target into viewing a malicious file in Windows Explorer. The flaw was reported to Microsoft and is currently impacting all versions of Windows from Windows 7 and Server 2008 R2 up to Windows 11 24H2 and Server 2022.
The vulnerability, which has no CVE ID, works by forcing an outbound NTLM connection to a remote share, causing Windows to automatically send NTLM hashes for the logged-in user. These hashes can be cracked, allowing threat actors to gain access to login names and plaintext passwords.
Microsoft announced plans to kill off the NTLM authentication protocol in Windows 11 but has not yet released an official fix. In response, 0patch, a platform providing unofficial support for end-of-life Windows versions, is offering a free micropatch for users until Microsoft provides a patch.
The micropatch can be applied automatically through 0patch’s platform or manually by configuring Group Policy settings or registry modifications. However, administrators are warned that these changes may cause disruption to NTLM networking in their environment.
Source: https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch