MEDIUM 6.5

CVE-2026-39908: OpenBullet2 NTLMv2 Hash Disclosure via UNC Proxy Path

OpenBullet2 versions up to 0.3.2 running on Windows contain a flaw that leaks the Windows NTLM password hash of the user running the application. An attacker with access to the application can trick it into connecting to a malicious SMB server by providing a fake network path (UNC path) as a proxy source. When OpenBullet2 tries to load proxy settings from that path, Windows automatically attempts to authenticate, and the attacker captures the resulting NTLMv2 hash. That hash can be used in relay attacks or cracked offline to recover credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-522
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-07-14

NVD description (verbatim)

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in OpenBullet2's proxy source handling on Windows. When a job is configured with a UNC path (e.g., \\attacker.com\share) pointing to a proxy source, the application initiates an SMB connection during job startup to retrieve proxy information. The Windows authentication layer transparently attempts NTLM authentication to access the remote resource. An attacker-controlled SMB server captures the outbound NTLMv2 hash sent by the client. This hash can be relayed to other services using NTLMv2 relay techniques or subjected to offline brute-force or dictionary attacks. The flaw stems from inadequate validation or sanitization of proxy source paths and failure to restrict network protocols to secure channels. CWE-522 (Insufficiently Protected Credentials) applies because sensitive authentication material is disclosed without adequate protection during the connection attempt.

Business impact

Compromise of Windows user credentials running OpenBullet2 creates cascading risks. The leaked hash may grant attackers access to the user's network resources, domain accounts (if domain-joined), and downstream systems the user can reach. In environments where OpenBullet2 runs under elevated or service account contexts, the impact extends to critical infrastructure. Attackers could pivot laterally, access sensitive data, or establish persistence. The threat is compounded if the compromised account has administrative privileges or access to highly sensitive systems.

Affected systems

OpenBullet2 version 0.3.2 and earlier releases on Windows are vulnerable. The Windows operating system is a prerequisite; the vulnerability does not affect Linux or macOS deployments. Affected organizations include penetration testers, security researchers, and potentially threat actors who use or deploy OpenBullet2 in their workflow.

Exploitability

Exploitation requires network access and valid credentials or permission to configure OpenBullet2 jobs. An insider, compromised account, or attacker with prior foothold can create a malicious proxy job configuration. The attack vector is network-based, requires authentication to the application, and does not need user interaction beyond job execution. No complex techniques or race conditions are required; the vulnerability triggers automatically when a job with a UNC proxy path is started. The barrier to weaponization is low once access is gained.

Remediation

Upgrade OpenBullet2 to a version newer than 0.3.2 that includes fixes for credential disclosure during proxy source resolution. Verify patched versions against the official OpenBullet2 repository or vendor advisory. Until patches are available, restrict network access to OpenBullet2 instances, prevent untrusted users from configuring job proxy sources, and run the application under a low-privilege account with minimal network rights. Consider disabling SMB-based proxy sources or validating proxy paths to exclude UNC paths.

Patch guidance

Check the official OpenBullet2 project repository for versions released after 0.3.2 that address CVE-2026-39908. Apply the latest stable release to all Windows systems running OpenBullet2. Verify patch application by confirming the version number in the application settings or file properties. Test patched versions in a controlled environment before production deployment to ensure compatibility with existing job configurations.

Detection guidance

Monitor for SMB authentication attempts originating from OpenBullet2 processes connecting to unusual or external hosts. Use Windows Event Log monitoring to detect failed or anomalous NTLM authentication events from the OpenBullet2 service account. Inspect job configuration files for UNC paths pointing to unexpected network resources. Network-level detection should flag SMB traffic from internal systems to external or unknown IP addresses. EDR solutions can track process-to-network behaviors characteristic of credential capture attempts.

Why prioritize this

Although assigned MEDIUM severity (CVSS 6.5), this vulnerability poses direct credential theft with minimal barriers to exploitation for insiders or attackers with initial access. The leaked NTLMv2 hash enables relay attacks and offline cracking, potentially leading to lateral movement and privilege escalation. Prioritize patching in environments where OpenBullet2 runs on domain-joined systems, under privileged accounts, or with access to sensitive infrastructure. Organizations using OpenBullet2 for legitimate security testing should treat patching as urgent.

Risk score, explained

CVSS 6.5 (MEDIUM) reflects network accessibility, requirement for authenticated access, and high confidentiality impact (hash disclosure) with no integrity or availability consequences. The score does not fully capture the downstream damage potential from NTLMv2 relay or password cracking. Real-world risk depends on the account privileges running OpenBullet2, network segmentation, and whether NTLMv2 relay mitigations (SMB signing, EPA) are in place. Security teams should supplement CVSS with contextual risk assessment.

Frequently asked questions

Can an attacker exploit this without prior access to OpenBullet2?

No. The vulnerability requires authenticated access to OpenBullet2 to create or modify a malicious proxy job configuration. However, once configured, the credential disclosure occurs automatically upon job execution without further user action.

What is an NTLMv2 hash and why is it a problem?

NTLMv2 is the modern Windows authentication hash format. Unlike older protocols, NTLMv2 hashes are resistant to some attack methods but still vulnerable to relay attacks (where the hash is used directly) and offline brute-force or dictionary attacks if the attacker has sufficient computing resources. Compromised hashes can lead to account takeover.

Does this affect non-Windows systems running OpenBullet2?

No. The vulnerability is specific to Windows and the NTLM authentication mechanism. Linux and macOS deployments of OpenBullet2 are not affected, although they should be kept updated for other potential vulnerabilities.

What should I do if I suspect my OpenBullet2 instance was exploited?

Immediately change the password of the user account running OpenBullet2. Audit network access logs for SMB connections to external hosts around the time of suspected exploitation. Run credential audit tools to detect any unauthorized privilege use or lateral movement. If the account is domain-joined, consider resetting it in Active Directory and monitoring for relay attacks on other systems.

This analysis is based on published vulnerability data current as of the advisory date. Patch version numbers, timelines, and mitigation guidance should be verified against official vendor sources and security advisories before implementation. Organizations should conduct their own risk assessment based on their environment, asset inventory, and security controls. This document does not constitute professional security advice; consult with security professionals for deployment-specific recommendations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).