Lmst

0-Click Exploit Alert: Just Opening a Folder Can Trigger Remote Code Execution on Windows 🚨

A newly disclosed vulnerability in Windows LNK (shortcut) files has raised serious red flags — and Microsoft isn't planning to patch it.

Here’s what happened:

- A security researcher publicly dropped a working Proof-of-Concept that allows remote code execution just by getting a user to open a folder.
- No clicks. No prompts. Just browsing a directory is enough to trigger the attack.
- The exploit abuses the way Windows Explorer parses LNK files using COM interfaces like `IInitializeNetworkFolder` and `IShellFolder2`.

Microsoft's official response?

They say it “does not meet the security bar for servicing,” citing the Mark of the Web (MOTW) feature as sufficient protection.

But researchers disagree:
- MOTW can be bypassed — and has been, repeatedly.
- Similar LNK exploits have been abused in the wild since at least 2010.
- Now that a PoC is public, it’s only a matter of time before threat actors exploit it.

This is a classic example of a silent threat lurking inside everyday workflows — and it reinforces a harsh truth in cybersecurity:

Not all exploits need user interaction. Some just need you to look.

If your business relies on Windows systems and file sharing, now’s the time to rethink folder access, tighten segmentation, and review endpoint defenses.

Efani protects mobile communications — but threats like these remind us that endpoint security is a multi-layered game.

#CyberSecurity #WindowsVulnerability #RemoteCodeExecution

⚠️ CVE-2025-24054 is now under active attack — and it only takes a single click to leak NTLM hashes from a Windows system.

CISA has added this medium-severity Windows vulnerability to its Known Exploited Vulnerabilities catalog after confirming exploitation in the wild. The flaw enables attackers to harvest NTLM credentials through specially crafted .library-ms files.

Here’s how it works:
- A user receives a malicious file — even a single click (no execution needed) can trigger NTLM hash leakage
- Attackers send these files via phishing emails, often packed in ZIP archives or delivered directly
- Opening the archive or previewing the file initiates an SMB request, leaking NTLMv2-SSP hashes
- These hashes can then be used for pass-the-hash or lateral movement attacks inside the network

Check Point reports that the vulnerability has been exploited in at least 10 campaigns so far, targeting government and private organizations in Poland, Romania, Ukraine, and Colombia.

What makes this threat more dangerous:
- NTLM is deprecated but still present in many environments
- Minimal user interaction is required — just download and extract
- It bypasses common detection tools by triggering quietly in Windows Explorer
- It's a variant of a previously exploited flaw (CVE-2024-43451)

Microsoft patched the flaw in March, but exploitation began almost immediately. Agencies under the FCEB have until May 8 to patch — but every organization should act sooner.

At @Efani we view this as another reminder that legacy protocols like NTLM are low-hanging fruit for attackers. Even medium-severity flaws can become major risks when they require near-zero user interaction.

Patch. Audit. Replace legacy auth where possible.

#CyberSecurity #NTLM #WindowsVulnerability #CVE202524054 #CredentialSecurity #EfaniSecure

Windows systems are under threat! A tiny flaw now lets hackers steal sensitive credentials with just a folder click. How safe is your PC against these crafty phishing attacks? Read more on this alarming vulnerability.

https://thedefendopsdiaries.com/understanding-the-cve-2025-24054-vulnerability-a-critical-threat-to-windows-systems/

#cve202524054
#windowsvulnerability
#ntlmhash
#cybersecurity
#phishingattacks

Windows has a hidden trapdoor—CVE-2025-29824—that's letting ransomware gangs grab SYSTEM-level control with ease. Could your system be next? Read how to safeguard your data from this zero-day threat.

https://thedefendopsdiaries.com/understanding-the-impact-of-cve-2025-29824-a-critical-windows-vulnerability/

#cve202529824
#windowsvulnerability
#ransomware
#cybersecurity
#infosec

Understanding and Mitigating the CVE-2025-24071 Vulnerability in Windows

https://thedefendopsdiaries.com/understanding-and-mitigating-the-cve-2025-24071-vulnerability-in-windows/

#cve202524071
#windowsvulnerability
#ntlm
#cybersecurity
#patchmanagement

Understanding the Impact of CVE-2025-24983: A Critical Windows Kernel Vulnerability

https://thedefendopsdiaries.com/understanding-the-impact-of-cve-2025-24983-a-critical-windows-kernel-vulnerability/

#cve202524983
#windowsvulnerability
#cybersecurity
#zeroday
#patchmanagement

CISA has raised alarms about a new Windows vulnerability (CVE-2024-35250) actively exploited by hackers! 🚨 This flaw allows privilege escalation to SYSTEM level, posing serious risks to organizations. Microsoft has issued a patch, but timely action is crucial! 🛡️🔒 Check out the details here: https://cyberinsider.com/cisa-warns-of-new-windows-vulnerability-used-in-hacker-attacks/ #CyberSecurity #WindowsVulnerability #CISA #InfoSec #newz

Urgent: Critical Windows zero-day vulnerability exposes NTLM credentials via file viewing. Patch your systems now! #WindowsVulnerability #ZeroDay #Cybersecurity

More details: https://securityonline.info/critical-zero-day-vulnerability-in-windows-exposes-user-credentials/ - https://www.flagthis.com/news/7287

#Windows11 sure is popular 🙄
---
Although the 50 million users at risk are a concern, the 900 million users currently using #Windows10 are a much grander issue.

In October 2025, #Microsoft will be ending support to Windows 10 , leaving around 900 million users vulnerable. #WindowsVulnerability

Microsoft Issues Security Alert: 50M Users Exposed to Critical #Windows Vulnerabilities
https://www.msn.com/en-us/news/technology/microsoft-issues-security-alert-50m-users-exposed-to-critical-windows-vulnerabilities/ar-AA1rPUrW?ocid=emmx-mmx-feeds&PC=EMMX01

Just a month after a CrowdStrike update caused widespread Blue Screen of Death (BSOD) issues, a new threat has emerged. Fortra's latest report, dated August 12, uncovers a Windows vulnerability that could lead to another BSOD nightmare. Stay alert! #CyberSecurity #BSOD #WindowsVulnerability #TechNews

https://www.forbes.com/sites/daveywinder/2024/08/12/new-microsoft-windows-10-11-server-blue-screen-of-death-warning/

"🚨 Windows App Installer Vulnerability: A New Twist in Cybersecurity 🚨"

Microsoft has temporarily disabled the MSIX ms-appinstaller protocol handler in Windows due to security concerns. This action was taken because malicious groups, like the Sangria Tempest group (also known as FIN7), were using it to distribute malware. This vulnerability, known as CVE-2021-43890, was exploited through phishing and malicious ads, often resulting in ransomware attacks. These attacks were able to bypass Defender SmartScreen and browser security warnings. Microsoft initially disabled this handler in February 2022 to counter Emotet attacks and has now decided to disable it again due to ongoing misuse by financially motivated threat groups.

The MSIX ms-appinstaller protocol handler is an important part of the MSIX package format. It simplifies the process of installing Windows applications directly from a URL, making it easier for developers and users. MSIX is a modern app package format for Windows that combines the best features of MSI, .appx, App-V, and ClickOnce installation technologies. Its main goal is to help developers package and distribute their applications efficiently and reliably, ensuring compatibility.

For more on CVE-2021-43890: Microsoft Advisory
For details on FIN7: MITRE - FIN7

Tags: #CyberSecurity #WindowsVulnerability #MSIX #ProtocolHandler #Malware #Ransomware #Phishing #ThreatIntelligence #SangriaTempest #FIN7 #MicrosoftSecurity