ZDI-26-293: (0Day) Microsoft Office URI Handler NTLM Response Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose NTLM responses on affected installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 4.3.
AI Analysis
Technical Summary
The Microsoft Office URI Handler NTLM Response Information Disclosure vulnerability (ZDI-26-293) allows remote attackers to obtain NTLM authentication responses by exploiting improper input validation in Office URI scheme handling. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious webpage. The vulnerability was reported to Microsoft in February 2026, but Microsoft declined to issue a security update, stating it did not meet their servicing criteria. The advisory was publicly released by the Zero Day Initiative in April 2026. No patch or official fix is available, and the vulnerability has a CVSS score of 4.3 (low severity).
Potential Impact
Successful exploitation results in disclosure of NTLM authentication responses for the current user, potentially allowing an attacker to leverage these credentials in further attacks. However, the vulnerability does not allow code execution or system compromise directly. User interaction is required, limiting the attack vector. The vendor has not issued a patch, indicating the impact is considered low severity by Microsoft.
Mitigation Recommendations
No official patch or fix is available as Microsoft has declined to service this vulnerability. The primary mitigation is to restrict user interaction with untrusted or potentially malicious Microsoft Office files and links that could trigger the URI handler. Users and administrators should exercise caution when opening Office documents from untrusted sources. Monitor vendor advisories for any future updates.
ZDI-26-293: (0Day) Microsoft Office URI Handler NTLM Response Information Disclosure Vulnerability
Description
This vulnerability allows remote attackers to disclose NTLM responses on affected installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 4.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Microsoft Office URI Handler NTLM Response Information Disclosure vulnerability (ZDI-26-293) allows remote attackers to obtain NTLM authentication responses by exploiting improper input validation in Office URI scheme handling. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious webpage. The vulnerability was reported to Microsoft in February 2026, but Microsoft declined to issue a security update, stating it did not meet their servicing criteria. The advisory was publicly released by the Zero Day Initiative in April 2026. No patch or official fix is available, and the vulnerability has a CVSS score of 4.3 (low severity).
Potential Impact
Successful exploitation results in disclosure of NTLM authentication responses for the current user, potentially allowing an attacker to leverage these credentials in further attacks. However, the vulnerability does not allow code execution or system compromise directly. User interaction is required, limiting the attack vector. The vendor has not issued a patch, indicating the impact is considered low severity by Microsoft.
Mitigation Recommendations
No official patch or fix is available as Microsoft has declined to service this vulnerability. The primary mitigation is to restrict user interaction with untrusted or potentially malicious Microsoft Office files and links that could trigger the URI handler. Users and administrators should exercise caution when opening Office documents from untrusted sources. Monitor vendor advisories for any future updates.
Technical Details
- Article Source
- {"url":"http://www.zerodayinitiative.com/advisories/ZDI-26-293/","fetched":true,"fetchedAt":"2026-05-26T19:57:55.855Z","wordCount":253}
Threat ID: 6a15fc93e29bf47b5055dfd1
Added to database: 5/26/2026, 8:03:31 PM
Last enriched: 5/26/2026, 8:06:42 PM
Last updated: 5/27/2026, 5:03:42 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.