Microsoft Telnet flaw enables credential theft through telnet links in phishing

A security vulnerability has been discovered in the Microsoft Telnet Client's MS-TNAP authentication protocol, enabling attackers to silently steal Windows credentials from users. 

The vulnerability exists in the Microsoft Telnet Client's implementation of the MS-TNAP extension. When a Windows user connects to a malicious Telnet server (either manually or by clicking a telnet:// URI link), the client initiates an authentication process that can be exploited to capture authentication material.

If the malicious server is located within the Intranet or Trusted Zone—or if system policies allow silent authentication—Windows will automatically transmit NTLM authentication data without any warning or user approval.

The primary attack vector involves:

1. Establishing a malicious Telnet server
2. Enticing users to connect via telnet:// URI links (embedded in emails, documents, or websites)
3. Capturing NTLM authentication data from connecting clients

The vulnerability affects all Windows versions with the Microsoft Telnet Client installed

• Windows NT 4.0 through Windows 11
• Windows Server 2003 through Windows Server 2025

A working proof-of-concept exploit has been developed that demonstrates:

• Detection of MS-TNAP support in connecting clients
• Capturing of NTLM authentication exchanges
• Extraction of NetNTLMv2 hashes in formats compatible with password cracking tools

To protect against this vulnerability, organizations should uninstall the Telnet Client if it's installed - it's not installed by default in newer versions of Windows. Uninstall or disable the Telnet feature on all Windows machines unless strictly necessary and train users to avoid clicking suspicious telnet:// links or opening unknown LNK files.

The attack can be triggered can be triggered via URI handlers embedded in phishing emails or documents.