Security News > 2022 > January > Windows 'RemotePotato0' zero-day gets an unofficial patch
A privilege escalation vulnerability impacting all Windows versions that can let threat actors gain domain admin privileges through an NTLM relay attack has received unofficial patches after Microsoft tagged it as "Won't fix."
Kerberos has superseded NTLM, the current default auth protocol for domain-connected devices for all Windows 2000 and later.
Despite this, NTLM is still in use on Windows servers, allowing attackers to exploit vulnerabilities like RemotePotato0 designed to bypass NTLM relay attack mitigations.
Microsoft told the researchers that Windows admins should either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services.
The researchers "Hope that MS reconsider their decision not to fix this serious vulnerability" since RemotePotato0 can be exploited without requiring the target's interaction by relaying authentication to other protocols, unlike similar NTLM relay attack techniques using bugs like CVE-2020-1113 and CVE-2021-1678.
The unofficial patches for RemotePotato0 are available for all Windows versions from Windows 7 to the latest Windows 10 version and from Windows Server 2008 to Windows Server 2019.
News URL
Related news
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- New Windows Server 2012 zero-day gets free, unofficial patches (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- Windows Patch Tuesday hits snag with Citrix software, workarounds published (source)
- 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now (source)
- Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-12 | CVE-2021-1678 | Unspecified vulnerability in Microsoft products Windows Print Spooler Spoofing Vulnerability | 0.0 |
| 2020-05-21 | CVE-2020-1113 | Improper Certificate Validation vulnerability in Microsoft products A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC, aka 'Windows Task Scheduler Security Feature Bypass Vulnerability'. | 7.5 |