National Computer Emergency Response Team (National CERT) has issued an advisory regarding a critical zero-day vulnerability affecting Microsoft Windows operating systems. The vulnerability allows attackers to steal NTLM credentials by viewing a malicious file in Windows Explorer.
This exploit does not require the victim to open the file, making it especially dangerous. Microsoft has not yet released an official patch for the issue, and immediate mitigation steps are essential to safeguard systems from potential exploitation.
According to the advisory, the vulnerability affects all Windows versions from Windows 7 through Windows 11 24H2, including Windows Server 2022. The flaw exposes user login names and plaintext passwords, which can be used by attackers to move laterally across networks, escalate privileges, and ultimately gain unauthorized access to sensitive systems, data, and networks.
The issue is particularly concerning because it can be triggered by simply viewing a malicious file located on USB drives, shared folders, or other network locations, without any action required from the user.
The advisory outlines several immediate steps to mitigate the risks posed by this vulnerability. National CERT recommends disabling NTLM authentication where feasible by configuring Group Policy settings. Systems should also be set to block outbound NTLM connections to untrusted servers and external networks using firewalls or equivalent tools. By limiting exposure to NTLM vulnerabilities, these actions can prevent the unauthorized transmission of NTLM credentials to attackers.
To strengthen defenses, the advisory calls for further system-strengthening measures, such as enabling Windows Defender Credential Guard in enterprise environments to isolate and protect NTLM credentials. Additionally, enforcing 128-bit encryption for NTLM sessions and configuring registry settings to require NTLMv2 can help reduce the risk of exploitation. Organizations should also apply Microsoft Defender’s attack surface reduction rules to block outbound NTLM traffic to untrusted servers and prevent credential theft techniques.
Users should be educated on the dangers of interacting with suspicious files, particularly those received via email attachments, USB drives, or shared folders. Promoting secure password practices, including strong, unique passwords and regular rotations, can further reduce the risk of credential theft. Organizations should also prioritize secure file-sharing tools over unsecured methods that could expose them to malicious files.
In the long term, National CERT recommends migrating to modern authentication methods such as Kerberos or certificate-based authentication to reduce reliance on NTLM. Phasing out legacy systems that depend on NTLM and implementing secure infrastructure aligned with best practices will help strengthen cybersecurity resilience.