Incomplete Windows Patch Exposes NTLM Credentials Again: CVE-2025-50154 Threat Analysis

Overview

Cymulate Research Labs has disclosed CVE-2025-50154, a zero-click NTLM credential leak affecting fully patched Windows 10 and Windows Server 2008–2022.

This flaw bypasses Microsoft's fix for CVE-2025-24054 and enables attackers to steal credentials and deliver malware without user interaction.

The vulnerability stems from a loophole left in Microsoft's April 2025 patch, allowing exploitation even on systems considered secure. Attackers can harvest NTLMv2 hashes for credential cracking or relay attacks, escalate privileges, and move laterally through networks.

---

Vulnerability Summary

Field	Value
CVE ID	CVE-2025-50154
CVSS Score	7.5 (High)
Type	Zero-click authentication bypass, patch evasion
Privileges	None
User Interaction	None
Authentication	None
Products Affected	Windows 10, Windows Server 2008–2022

---

Technical Details

Background

In April 2025, Microsoft patched CVE-2025-24054, which blocked UNC path-based malicious icons in .lnk files. Cymulate found that this could be bypassed by embedding icons inside remote executable files.

Exploit Chain

1. Attacker hosts crafted executable (execute.exe) on a malicious SMB server.
2. Creates .lnk file with:
   • TargetPath: SMB-hosted binary
   • Icon location: Local safe file (e.g., C:\Windows\System32\SHELL32.dll)
3. Distributes shortcut via email, USB, network share, or drive-by download.
4. When Explorer renders the shortcut, it fetches the remote binary to extract the icon.
5. This triggers NTLM authentication, leaking NTLMv2 hash to the attacker.

Impact

• Stolen hashes enable offline cracking, relay attacks, and malware delivery.
• Triggered just by viewing the shortcut—no clicks required.

---

Security Risks

• Credential Theft: NTLMv2 hashes cracked offline or relayed to gain access.
• Privilege Escalation & Lateral Movement: Domain compromise possible.
• Malware Delivery: Remote binaries fetched automatically.
• Phishing Bypass: Zero-click nature evades many security controls.

---

Exploitation Workflow

1. Host exploit on SMB server.
2. Craft .lnk pointing to the SMB binary.
3. Deliver shortcut to victim.
4. Victim views shortcut; Explorer triggers NTLM leak.
5. Attacker captures hashes → offline cracking, relay attacks, or malware execution.

---

Mitigation Recommendations

• Apply Microsoft's August 2025 Patch Tuesday updates immediately.
• Disable NTLM authentication where possible; use Kerberos instead.
• Restrict SMB traffic from endpoints to untrusted networks.
• Monitor outbound SMB connections from explorer.exe.
• Detect suspicious .lnk files referencing UNC paths or remote executables.
• Alert on explorer.exe downloads without user interaction.

---

Final Note

In an era of automated threats, never rely solely on a single patch. Validate mitigations, monitor network flows, and apply critical updates promptly—the credential you save might prevent your company's next ransomware breach.