Microsoft's Windows Explorer is affected by RenderShock, a zero-click attack that exploits passive file preview and indexing behaviors. This vulnerability allows attackers to execute malicious payloads without user interaction, potentially leading to credential theft, remote access, and data leaks. The attack methodology leverages built-in system automation features, making it difficult to detect and mitigate. Security teams are advised to disable preview panes and block SMB traffic to prevent such attacks.
Source: https://cybersecuritynews.com/rendershock-0-click-vulnerability/
TPRM report: https://scoringcyber.rankiteo.com/company/microsoft
"id": "mic607071425",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'attack_vector': ['File Preview Systems', 'Automatic File Indexing Services'],
'data_breach': {'file_types_exposed': ['LNK Files',
'PDFs',
'Office Documents']},
'description': 'A sophisticated zero-click attack methodology called '
'RenderShock that exploits passive file preview and indexing '
'behaviors in modern operating systems to execute malicious '
'payloads without requiring any user interaction.',
'impact': {'systems_affected': ['Windows Explorer',
'macOS Quick Look',
'Email Client Preview Systems',
'File Indexing Services']},
'initial_access_broker': {'entry_point': ['Helpdesk Portals',
'Shared Directories']},
'lessons_learned': 'Modern computing environments’ emphasis on user '
'convenience creates silent execution paths that require '
'no interaction, fundamentally challenging traditional '
'security assumptions about file-based attacks and '
'necessitating a reevaluation of how systems handle '
'passive file processing.',
'motivation': ['Credential Harvesting', 'Remote Access', 'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Disable Preview Panes',
'Block Outbound SMB Traffic',
'Enforce Macro Blocking',
'Deploy Behavioral '
'Monitoring'],
'root_causes': 'Exploitation of passive file '
'preview and indexing behaviors in '
'modern operating systems'},
'recommendations': ['Disable preview panes in Windows Explorer and Quick Look '
'on macOS',
'Block outbound SMB traffic (TCP 445) to untrusted '
'networks',
'Enforce macro blocking through Group Policy',
'Deploy behavioral monitoring to detect unusual network '
'activity from preview-related processes'],
'references': [{'source': 'CYFIRMA'}],
'response': {'containment_measures': ['Disable Preview Panes',
'Block Outbound SMB Traffic',
'Enforce Macro Blocking'],
'enhanced_monitoring': ['Monitor preview-related processes like '
'explorer.exe, searchindexer.exe, and '
'quicklookd'],
'remediation_measures': ['Deploy Behavioral Monitoring']},
'title': 'RenderShock Zero-Click Attack',
'type': 'Zero-Click Attack',
'vulnerability_exploited': 'RenderShock 0-Click Vulnerability'}