Critical Microsoft Telnet 0-Click Vulnerability Exposes Windows Credentials

A critical vulnerability in Microsoft Telnet Server enables attackers to bypass authentication completely, potentially gaining administrator access without valid credentials. Organizations running legacy Windows systems are advised to take immediate action, as no official patch is available.

The critical flaw, discovered by a security researcher with Handle Hacker Fantastic, exploits a misconfiguration in the NTLM Authentication processes of the Telnet MS-TNAP (Microsoft Telnet Authentication Protocol) extension.

Designated as a “0-click” vulnerability, it requires no user interaction and allows remote unauthenticated attackers to bypass authentication mechanisms entirely.

Affected systems include legacy Microsoft operating systems from Windows 2000 through Windows Server 2008 R2. While these systems are relatively old, many organizations still maintain such servers for legacy applications or infrastructure.

“A critical 0-click remote authentication bypass vulnerability in Microsoft Telnet Server allows attackers to gain access as any user, including Administrator, without requiring valid credentials,” according to security researchers who analyzed the vulnerability.

The exploit works by manipulating the mutual authentication process between client and server.

Microsoft Telnet Client 0-click Vulnerability

The vulnerability stems from improper SSPI (Security Support Provider Interface) flag configurations during the authentication handshake. Specifically, researchers identified two critical misconfigurations:

The server initializes NTLM security with the SECPKG_CRED_BOTH flag and uses AcceptSecurityContext() with ASC_REQ_DELEGATE and ASC_REQ_MUTUAL_AUTH flags. This combination allows attackers to invert the authentication relationship, essentially tricking the server into authenticating itself to the client rather than validating the client’s credentials.

A proof-of-concept exploit named “telnetbypass.exe” has been released, though its source code has been withheld to minimize widespread exploitation. The exploit can bypass authentication to any account on the host by sending specially crafted mutual authentication packets.

With no patch currently available from Microsoft, security experts recommend several immediate actions to mitigate risk:

1. Immediately disable the Telnet Server service on all affected systems.
2. Replace Telnet with more secure alternatives like SSH for remote management.
3. Implement network filtering to restrict Telnet access to trusted networks only.
4. Deploy application controls to prevent unauthorized Telnet clients from connecting.

Security analysts emphasize that while this vulnerability is severe, its impact is limited to older systems. “A dead protocol, Telnet, that is not installed by default, on Windows versions that have already been EOL for years. It’s a clever find, but it’s 15 years too late,” noted one security professional.

Nevertheless, organizations maintaining legacy infrastructure should take this threat seriously. “Anyone who exposes Telnet to the internet on ancient Windows versions is either running a honeypot or taking extraordinary risks,” the expert added.

This vulnerability highlights the ongoing security challenges faced by organizations running legacy systems past their support lifecycle. Even as new security measures are implemented in modern operating systems, older protocols like Telnet continue to present significant risks when left active.

Security operations teams are advised to audit their environments for any running Telnet Server services, particularly on legacy Windows systems, and take immediate action to mitigate this vulnerability.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar

The post Critical Microsoft Telnet 0-Click Vulnerability Exposes Windows Credentials appeared first on Cyber Security News.