Critical 0-Day Vulnerability in All Versions of Windows Clients Allows Attackers to Capture NTLM Hashes

A recent discovery by researchers at ACROS Security has revealed a critical 0-day vulnerability present in all versions of Windows clients, including Windows 7 through the most current Windows 11 editions. This vulnerability could potentially expose users to the risk of having their NTLM authentication hashes captured by malicious attackers.

The flaw was initially brought to Microsoft’s attention by the researchers at ACROS Security, who identified the issue while working on a patch for an older Windows vulnerability known as CVE-2024-38030. This vulnerability, which was addressed by Microsoft in their July security update, was classified as a medium-severity Windows Themes spoofing vulnerability.

The newly discovered vulnerability is believed to be a variant of the two previously reported vulnerabilities related to Windows themes file handling. Specifically, it allows for an authentication coercion attack that tricks vulnerable devices into sending NTLM hashes, which represent a user’s password, to the attacker’s system.

According to Tomer Peled, a researcher at Akamai who also identified one of the earlier Windows themes spoofing vulnerabilities, the flaw arises from how Windows themes handle file paths for certain image resources. By manipulating these paths, an attacker can exploit the system’s authentication process to obtain sensitive user information.

Microsoft has acknowledged the report from ACROS Security and stated that they will take necessary actions to safeguard their customers. While the company has not assigned a CVE identifier to this new vulnerability yet, experts advise organizations to consider disabling NTLM where possible to mitigate the risk of exploitation. Additionally, users are advised to be cautious when handling theme files and downloading content from unknown sources to prevent potential attacks.