Incomplete Fix for CVE-2025-24054 Exploited in New NTLM Leak Technique

Published Date: August 14, 2025
Category: ShadowOpsIntel
Share:

Cymulate Research Labs identified a zero-click NTLM credential leakage flaw (CVE-2025-50154) that bypasses Microsoft’s previous fix for CVE-2025-24054. The vulnerability enables NTLM hash extraction without user interaction on fully patched systems by exploiting a loophole in Microsoft’s April security update. This allows attackers to perform offline cracking or NTLM relay attacks, potentially leading to privilege escalation, lateral movement, and remote code execution. The bypass also allows silent download of remote binaries via malicious shortcuts, creating a foothold for future attacks.

Severity Level: High

Vulnerability Details

  • CVE ID: CVE-2025-50154
  • CVSS Score: 7.5
  • Type: Zero-click authentication bypass and patch evasion
  • Privileges Required: None (zero-click)
  • User Interaction: None required
  • Authentication: None required
  • The flaw occurs when Windows Explorer retrieves icons for desktop shortcuts. While Microsoft blocked icons from UNC paths in the April patch, they did not block icons embedded in remote executable files. By pointing a .lnk file’s TargetPath to a remote binary and using a local icon, Windows Explorer fetches the entire binary file from a remote SMB share – initiating NTLM authentication in the process.
  • Affected Products: Windows 10 and Windows Servers (2008 to 2022)

Exploitation Of The Vulnerabilities

  1. Attacker Setup:
    • Host a malicious executable (execute.exe) on an SMB server.
    • Configure the executable to contain an icon in its .rsrc section.
  2. LNK File Creation:
    • Set .lnk file TargetPath to the SMB-hosted binary.
    • Use a safe local IconLocation (e.g., C:\Windows\System32\SHELL32.dll).
  3. Delivery: Place the .lnk file in a location accessible to the target (email attachment, network share, USB, etc.).
  4. Trigger: When the user’s Explorer window displays the .lnk, Windows automatically connects to the SMB share to fetch the binary’s icon, initiating NTLM authentication.
  5. Impact:
    • NTLMv2 hash captured over SMB.
    • Binary silently downloaded to victim’s system for later execution.

Recommendations

  1. Organizations running affected versions must deploy Microsoft’s August Patch Tuesday updates.
  2. Disable NTLM authentication where possible; enforce Kerberos.
  3. Restrict access to SMB shares from untrusted networks.
  4. Monitor for outbound SMB (TCP 445) connections from endpoints to external or untrusted IP addresses, especially those initiated by explorer.exe.
  5. Detect the creation or modification of .lnk files whose TargetPath points to a UNC path or remote executable.
  6. Alert when explorer.exe initiates file downloads from remote SMB shares without corresponding user interaction.

Source:

  • https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50154

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.