Oh boy, it’s raining zero days for Windows users right now. Just two weeks on from Microsoft confirming no less than six zero-day attacks impacting users in the Windows operating system, like London buses, another has belatedly arrived. The difference, however, is this latest threat to all users of Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025, has no official patch from Microsoft to fix it. This is a problem when you consider the endgame of an attacker exploiting this vulnerability is to steal password cases and bypass authentication protections. The good news is that there is a way to fix it, at least while you wait for Microsoft to act. Here’s what you need to know.
This Windows Password Hash Vulnerability Is So New It Doesn’t Have A Number Yet
A private message from Mitja Kolsek on the X social media platform dropped in my inbox late on March 25. I tend to take anything I receive from Kolsek seriously, as he’s the CEO of ACROS Security. This company develops and distributes unofficial security patches for zero-day vulnerabilities where no official fix is available. “We reported this to Microsoft and will not disclose details until they have issued an official patch,” was enough to trigger my journalistic intrigue and should be enough to trigger your desire to apply a temporary fix as well. Why so? Because, Kolsek explained, his researchers uncovered a vulnerability that “allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer.”
If this sounds familiar, there’s a good reason for that: I reported on a very similar Windows zero-day Dec. 6, 2024. Similar, but not the same. The “impact and attack scenarios of this issue are identical,” Kolsek said, but the latest vulnerability is different and not yet publicly discussed. As already mentioned, Kolsek isn’t going to be releasing the full technical details any time soon, at least not until Microsoft has issued a patch.
What we do know is that these NT Lan Manager vulnerabilities can enable an attacker to steal Windows credentials by simply tricking the user into viewing a malicious file. NTLM is a suite of Microsoft security protocols providing authentication, integrity and confidentiality to users. This is why the zero-day is of such importance, although it’s not thought of as critical. “These types of vulnerabilities are not critical,” Kolsek said, “and their exploitability depends on several factors.” But, and it’s a big but, they have been used in real-world attacks, and that’s all you need to know. Well, that and the minor detail that NTLM exploits, including relay attacks to bypass authentication and pass-the-hash attacks to steal credentials, are widely used to gain access to networks, with all that can bring to the hacking party.
As Microsoft Investigates, Windows Users Can Use This Temporary Fix
Given all of the above and the fact that a Microsoft spokesperson said, “We are aware of this report and will take action as needed to help keep customers protected,” which likely means waiting until the next Patch Tuesday at least, I’d recommend taking action now.
This is where Kolsek and his micro patch solution enter stage left. 0patch seeks to address the vulnerability gap, that time between a zero-day being discovered and an official patch being released, by providing free mini-fixes in the meantime. This works using a patching agent that analyzes processes and applies any new patch in memory without disturbing the process itself. “Since this is a 0day vulnerability with no official vendor fix available,” Kolsek said, “we are providing our micropatches for free until such fix becomes available.” If you use Windows, you know what to do.
