Exclusive: Nine Months After Disclosure, Popular Scanning Tools Still Leak Windows Credentials Via Unpatched Flaw
Exclusive: Nine Months After Disclosure, Popular Scanning Tools Still Leak Windows Credentials Via Unpatched Flaw
By Javier Medina (X/LinkedIn)
January 2026
Look—despite being publicly called out last year, widely-used network tools are still putting organizations at risk right now. Original research by ITRES LABS confirms two administration apps installed on millions of systems worldwide continue leaking Windows credentials through an unpatched flaw. Seriously problematic: Distributed versions of Advanced IP Scanner (≤ 2.5.4594.1) and Advanced Port Scanner (≤ 2.5.3869) automatically launch Windows authentication sequences toward scanned targets. That unintentionally broadcasts NetNTLM cryptographic data over HTTP/SMB—exactly what attackers exploit to steal credentials.
## Unpatched Vulnerability Persists Amid Enterprise Use
ITRES LABS spotted this during testing way back in January 2024—officially tagged as CVE-2025-1868. But guess what? Even now, versions distributed by Famatech Corp. remain wide open. Here’s the timeline: Researchers disclosed it via INCIBE-CERT in February 2024, and the CVE published in March 2025. We’re nine months past that disclosure. Yet when ITRES pulled installer files this January—like
Advanced_IP_Scanner_2.5.4594.1.exeAdvanced_Port_Scanner_2.5.3869.exeWhy Default Settings Pose Operational Risk
So what’s actually happening? Both apps ship with “Scan Resources” turned on by default. Sounds harmless? Not even close. This feature goes way beyond port checks—it actually attempts to probe services without asking you:
- Active Authentication Attempts: Your scanner secretly tries to authenticate against file shares (SMB) and web servers (HTTP) using your workstation’s Windows credentials.
- Cryptographic Exposure: Each attempt shoots NetNTLMv2 challenge-response pairs over the network. Hackers can crack these hashes offline to uncover passwords.
- HTTPS Bypass: Turning off HTTPS scanning? Doesn’t matter. Redirects (HTTP → HTTPS) still force leakage over TLS.
Command-line tools (
advanced_ip_scanner_console.exeadvanced_port_scanner_console.exe## Credential Harvesting Attack Scenarios
Now here’s where it gets scary—attackers can weaponize routine admin tasks:
Exploiting Legitimate Workflows
Imagine this scenario:
- Hackers set up fake HTTP/SMB endpoints resembling real company assets
- They trick an admin into scanning them—maybe a fake vendor email says, “Check connectivity to this IP!”
- Boom: Scanned hosts capture credentials relayable to internal systems or crackable offline
“Scanning a seemingly harmless external IP feels normal, right?” says the ITRES researcher who discovered this. “Admins won’t blink—but doing it surrenders domain credentials in seconds.”
Elevated Access Consequences
It gets worse if:
- Scans run from Privileged Access Workstations (PAWs): Domain admin creds? Jackpot.
- Network teams use everyday workstations instead of isolated machines: Everyday accounts still hold doors open.
- Outbound SMB gets blocked: Sure, many companies do this. But HTTP/HTTPS paths are always open, letting credentials slip outside.
Validating Organizational Exposure
Think you’re safe? Test it yourself:
- Set up endpoints logging NTLM auth attempts
- Scan them using Advanced IP/Port Scanner defaults
- Repeat with Settings → Options → Resources: Disable “Shared folders” + “HTTP”
If you see auth logs tied to your scanner IPs, you’re exposed. ITRES LABS also runs
—a harmless HTTPS endpoint that confirms leakage without stealing credentials.scan.itresit.es
Enterprise Mitigation Strategies
Ready for the fix? Since Famatech hasn’t patched this yet:
Immediate Countermeasures
| Action | Implementation |
|---|---|
| Disable Risky Features | Settings → Options → Resources → Kill “Shared folders” + “HTTP” |
| Isolation Protocols | Only scan from non-domain joined, disposable virtual machines |
| Tool Replacement | Switch to safer tools like Nmap—they don’t force authentication |
Detection Hygiene Improvements
Spot accidental leaks faster:
- Network Decoys: Fake HTTP/SMB servers in sensitive zones—real hosts shouldn’t touch them.
- Perimeter Guardrails: Block outgoing SMB. Flag NTLM-over-HTTP(S) traffic too.
- Endpoint Auditing: Enable “Microsoft-Windows-NTLM/Operational” logs on critical assets. Watch for outgoing auth.
Perspective: When Tool Trust Betrays Security
Famatech claims 70 million users. But shipping unpatched defaults nine months after disclosure? That’s not prioritizing safety—it’s negligence.
This whole mess proves routine tools can betray you: Automatic auth sequences happen without warning, social engineering hides malicious ops, and temporary risks turn permanent. Defenders? Treat every “trusted” outbound auth as suspicious—because these tools just broke that trust.
Disclosure Timeline:
2024-01-24 – Vulnerability discovered during testing
2024-02-19 – Reported to INCIBE-CERT (CNA)
2024-05-17 – Validation completed
2025-03-03 – Generic CVE advisory published
2026-01-07 – Full technical disclosure (this publication)
Installers checked January 3^rd:
| Retrieved (UTC) | Product | Version | SHA256 |
|---|---|---|---|
| 2026-01-03T16:04:52Z | Advanced Port Scanner | 2.5.3869 | d0c1662ce2... |
| 2026-01-03T16:04:54Z | Advanced IP Scanner | 2.5.4594.1 | 26d5748ffe... |
More From The Wire
VIEW_ALL
Cisco Issues Critical Patch for Identity Services Engine Flaw Amid Public Exploit Availability
OpenAI Unveils Dedicated Health Chatbot Segment with Rigorous Data Isolation Protections
# ICE's Massive Surveillance Expansion Unveiled: A Domestic Spying Operation Unprecedented in Scale
