One malicious SCF file jeopardizes the entire victim system.
A new zero-day vulnerability in Windows allows attackers to steal users’ NTLM hashes simply by tricking them into opening a malicious file in File Explorer.The flaw discovered by ACROS Security specialists has not yet received an official CVE identifier, but it has already been recognized as dangerous—it affects all versions of Windows, from Windows 7 to the latest builds of Windows 11, as well as server releases from Server 2008 R2 to Server 2025.
The vulnerability essentially allows NTLM credentials to be leaked if the user merely views a folder containing a specially crafted SCF file. For example, when opening a USB drive, network folder, or even the local “Downloads” directory—where such a file might have been automatically saved from an attacker’s webpage—the NTLM hash is automatically sent to an external server.
NTLM has long been used in attacks such as NTLM relay and pass-the-hash, where attackers force a device to authenticate on a controlled server, intercept the password hash, and use it for authentication on behalf of the victim. This enables them to infiltrate secure segments of the network, access sensitive information, and escalate the attack further.
Although such vulnerabilities are not considered critical due to several operational conditions—for instance, the need for internal network access or the availability of an external relay target—they are still actively exploited in real-world attacks. These methods have already been employed against public services, including Exchange servers.
The company has already released free unofficial patches through its own micro-patching service, 0patch. The patches are available for all supported versions of Windows. After launch, the 0patch agent applies the patch automatically, without requiring a system reboot—unless local security policies prevent it.
ACROS has submitted a vulnerability report to Microsoft, but until an official update is released, the company is not disclosing technical details. This is standard practice to restrict hackers’ capabilities until the official patch is available. Microsoft has confirmed that it received the notification and will take measures to protect users.
Recently, Microsoft released its March security updates for Patch Tuesday 2025, addressing 57 vulnerabilities, including 6 actively exploited zero-days. Among the issues fixed are 6 critical vulnerabilities that allow remote code execution.