ZDI Publishes 0-Day for Microsoft Office URI Handler NTLM Leak After Microsoft Declines to Patch
Zero Day Initiative has disclosed a 0-day vulnerability in Microsoft Office's URI handler that leaks NTLM responses, after Microsoft declined to fix the flaw, deeming it below its security servicing bar.
On April 21, 2026, the Zero Day Initiative (ZDI) published advisory ZDI-26-293, revealing a 0-day information disclosure vulnerability in Microsoft Office's URI handler. The flaw, tracked as ZDI-CAN-28651, allows remote attackers to leak NTLM responses from the current user. Microsoft was notified on February 5, 2026, but on March 4, 2026, the vendor communicated that the vulnerability did not meet its bar for security servicing, prompting ZDI to release the advisory as a 0-day after a coordinated disclosure timeline.
The vulnerability stems from improper input validation within Microsoft Office URI schemes. An attacker can exploit this by convincing a target to visit a malicious webpage or open a specially crafted file. Once triggered, the flaw leaks NTLM responses, which are cryptographic hashes used for Windows authentication. While the CVSS score is 4.3 (medium), the real-world risk is elevated because NTLM hashes can be relayed or cracked to gain unauthorized access to network resources, potentially leading to lateral movement within an enterprise environment.
Microsoft's decision not to patch the vulnerability has drawn criticism from security researchers. The company's security servicing bar determines which flaws receive fixes; those deemed below the bar are often addressed in future feature updates or left unpatched. This approach leaves users exposed, especially in environments where NTLM is still heavily used. ZDI's advisory notes that the only salient mitigation is to restrict interaction with the product, a measure that is impractical for most organizations.
The disclosure timeline shows that ZDI reported the vulnerability on February 5, 2026, and Microsoft acknowledged receipt the same day. On March 4, 2026, Microsoft communicated its decision not to patch. ZDI then notified Microsoft of its intent to publish on April 13, 2026, and released the advisory on April 21, 2026. The vulnerability was discovered and reported by researchers Len Sadowski (lytnc) and Oğuz Bektaş (_ozb_).
This incident is part of a broader trend where vendors decline to patch vulnerabilities they consider low-severity, leaving users to rely on workarounds or third-party mitigations. For NTLM-related flaws, the risk is compounded by the prevalence of NTLM relay attacks, which have been used in high-profile breaches. Security experts recommend disabling NTLM where possible and implementing Extended Protection for Authentication to reduce the attack surface.
Organizations using Microsoft Office should assess their exposure to this vulnerability. While no active exploitation has been reported yet, the public disclosure of a 0-day with a clear attack vector increases the likelihood of malicious use. Until Microsoft reconsiders its stance or provides a fix, administrators should monitor for unusual NTLM authentication attempts and consider deploying network-level protections such as SMB signing and NTLM blocking.