A critical zero-day vulnerability has been uncovered in Windows, enabling attackers to steal NTLM credentials simply by having the target view a file in Windows Explorer鈥攏o need to open it. This alarming exploit affects all Windows versions from Windows 7 to Windows 11 24H2 and Server 2022. When a malicious file is viewed, it triggers an outbound NTLM connection, leaking user credentials like login names and plaintext passwords, putting systems at risk of full compromise.
This vulnerability is part of a worrying trend, marking the third NTLM credential theft exploit discovered recently. It joins other unaddressed flaws such as the Mark of the Web (MotW) bypass, the Windows Themes exploit, and older threats like PetitPotam and DFSCoerce, highlighting systemic weaknesses in credential security.
The default port for NTLM authentication is port 445, which is primarily used for SMB (Server Message Block) communication. If this port is open and accessible, attackers can exploit NTLM credential leaks, especially in untrusted network environments. This could allow unauthorized access to sensitive systems and, when combined with other attack vectors, enable further actions such as lateral movement or establishing command-and-control (C&C) infrastructure. Therefore, securing port 445 is critical to mitigate such risks.
Original post shared by Juan Pablo Castro on LinkedIn: https://www.linkedin.com/posts/jpcastro_cybersecurity-zeroday-windows-activity-7270939113438998528-yVyK?utm_source=share&utm_medium=member_desktop
