nCERT Issues Warning for Critical NTLM Zero-Day Vulnerability in Microsoft Windows

A critical zero-day vulnerability in Microsoft Windows exposes millions of users to NTLM credential theft. Affecting Windows 7 to Windows 11 24H2, the flaw allows attackers to steal login credentials by merely viewing a malicious file in Windows Explorer, without opening it. This compromises sensitive systems, data, and networks.

The vulnerability, which targets the NTLM credential stealing, is the third serious zero-day in recent months affecting the Windows OS, the Personal and the Server editions, the MOTW bypass, and the Windows Theme exploit. This weakness can be turned into a threat and result in lateral movement in the network, escalating privileges, and, eventually, complete system compromise.

Immediate Action Required

Microsoft has not yet released the official patch, but National CERT has provided the most important measures to prevent this risk. The advisory calls for immediate action, including:

• Disabling NTLM Authentication: Enforce Group Policy settings to allow only NTLMv2 or disable NTLM altogether. Additionally, restrict NTLM traffic to trusted servers only.
• Blocking Outbound NTLM Connections: Configure firewalls to block NTLM connections to untrusted servers and external networks.
• System Hardening: Enable Windows Defender Credential Guard, configure secure NTLM settings, and leverage Microsoft Defender’s exploit prevention tools to prevent unauthorized access.

To minimize exposure, National CERT recommends organizations compartmentalize their network, separate the core systems from the less secure infrastructure, and analyze the NTLM traffic with the help of, the Security Information and Event Management system. Accessing the files should also be prohibited by using limited file access privileges, turning off preview in Windows Explorer and extremely restricted access are some of the measures that should also be taken.

This vulnerability can also be defended by raising user awareness. National CERT suggests increasing user’s awareness of file risks, enforcing strict password policies, and advocating for safe file sharing. Users should be taught how not to work with files received from unknown sources, for example, by email or a flash drive.

Long-Term Strategy for Resilience

To limit the usage of NTLM, organizations need to start to use safer methods of authentication for example Kerberos or certificate authentication. Removing dependence on NTLM in currently implemented legacy systems will also strengthen security and bring infrastructures into compliance.

There is always the need for organizations to constantly monitor access logs, use alarms for detected abnormalities, and have a quick response plan on how to contain and restore from the breach. Following these recommendations to the letter is crucial now to avoid possibly dangerous situations as Microsoft is still preparing the patch.

National CERT stresses that the absence of those measures would result in serious violations, data theft, and critical system compromisation. The steps highlighted above are important to prevent systems from being exploited.