Security researchers at Cymulate Research Labs have discovered a critical zero-click NTLM credential leakage vulnerability that successfully bypasses Microsoft’s security patch for CVE-2025-24054, demonstrating that the original fix was incomplete and leaving millions of Windows systems exposed to sophisticated attacks.
The newly identified vulnerability, assigned CVE-2025-50154, allows attackers to extractNTLMv2-SSP hasheswithout any user interaction, even on fully patched Windows systems.
Unlike the original CVE-2025-24054 that Microsoft addressed in April, this bypass exploit leverages a subtle gap in the mitigation strategy, enabling automaticNTLM authenticationrequests that can lead tocredential theft,privilege escalation, andlateral movementacross enterprise networks.
The exploit works by manipulating Windows shortcut files (LNK) and exploiting how theexplorer.exeprocess handles remote binary retrieval.
While Microsoft’s patch prevented shortcuts from rendering icons based onUNC paths, researchers discovered that the fix doesn’t apply to remote binary files that store icon data within their own.rsrc sectionunderRT_ICONandRT_GROUP_ICONheaders.
Technical Exploitation Mechanism
The attack begins when a specially crafted LNK file is created with the icon set to the defaultshell32.dllwhile pointing the executable value to a distant file path.
When Windows Explorer attempts to display the shortcut, it automatically retrieves the entire remote binary to extract icon information, triggeringNTLM authenticationin the process.
During testing withWiresharkpacket analysis andSMB servermonitoring, researchers observed that the complete binary file is transferred without any user clicks.
Thiszero-clickbehavior not only exposesNTLM hashesfor offlinebrute-forceattacks orNTLM relay attacksbut also enables silentpayload deliverydirectly to victim systems.
The vulnerability bypasses traditionalrainbow tablesandpass-the-hashprotections inherent inNTLMv2by facilitatingman-in-the-middlescenarios where stolen hashes can be relayed to other services.
Using tools likesysinternals procmon, researchers confirmed that malicious binaries are successfully created on target systems with full size allocation.
Thischallenge/responseprotocol weakness poses significant risks for organizations relying solely on Microsoft’s previous patch for protection againstNTLM credential leakage.
The exploit increases attack surfaces forRCEscenarios, particularly when targeting high-privilege accounts that could enableransomware deploymentand comprehensive network compromise.
Cymulate responsibly disclosed their findings to theMicrosoft Security Response Center (MSRC), which has officially recognized the vulnerability with CVE-2025-50154.
Microsoft is expected to release a comprehensive security update addressing thisdefense-in-depthgap.
The discovery underscores the importance of thorough patch validation and continuous security testing, as seemingly minor oversights in vulnerability remediation can leave critical systems exposed to sophisticatedprecomputed attacksand advanced persistent threats targeting Windows authentication infrastructure.
AWS Security Services:10-Point Executive Checklist - Download for Free