New Windows 0-Click NTLM Credential Leakage Vulnerability Bypasses Microsoft’s Patch

A critical zero-click NTLM credential leakage vulnerability that circumvents Microsoft’s recent patch for CVE-2025-24054. 

The newly identified flaw, assigned CVE-2025-50154, allows attackers to extract NTLM hashes from fully patched Windows systems without any user interaction, demonstrating that Microsoft’s April security update was incomplete.

Key Takeaways
1. CVE-2025-50154 bypasses Microsoft's recent patch, enabling zero-click NTLM credential theft.
2. Steals authentication hashes and silently downloads malicious binaries.
3. New security update in development

Zero-Click NTLM Hash Leakage Vulnerability

According to Cymulate Research Labs, the vulnerability exploits a subtle gap in Microsoft’s mitigation strategy by leveraging the way Windows Explorer handles desktop shortcuts. 

Unlike the original CVE-2025-24054, which Microsoft patched to prevent shortcuts from rendering icons based on UNC paths, the new attack vector focuses on remote binary files that contain their own icon data within the .rsrc section.

Ruben Enkaoua, the researcher who discovered the vulnerability, demonstrated that when a malicious LNK file is created with the icon set to the default shell32.dll and the executable path pointing to a remote SMB share, Windows Explorer automatically retrieves the entire binary to extract icon information from the RT_ICON and RT_GROUP_ICON headers. 

This process triggers NTLM authentication without user interaction, exposing NTLMv2-SSP hashes that can be captured and subjected to offline brute-force attacks or NTLM relay attacks.

Beyond credential leakage, the vulnerability enables attackers to download malicious binaries to target systems without user consent silently. 

Network traffic analysis using Wireshark reveals that the entire remote executable is transferred during the icon extraction process, creating a staging ground for future attacks. 

While these binaries are not immediately executed, their presence on the victim’s system establishes a foothold for subsequent malware deployment, credential theft, or lateral network movement.

Process monitoring tools like Sysinternals ProcMon confirm that files are created with full binary size allocation, indicating complete payload delivery. 

This dual-threat capability makes CVE-2025-50154 particularly dangerous, as it combines immediate credential exposure with stealthy payload staging in a single zero-click operation.

Microsoft Response

Following responsible disclosure to the Microsoft Security Response Center (MSRC), the vulnerability has been officially recognized and assigned its own CVE identifier. 

Microsoft is expected to release a comprehensive security update to address the bypass technique completely.

The discovery underscores the complexity of modern authentication protocols and the challenges in implementing effective security mitigations. 

NTLM relay attacks targeting high-privilege accounts can lead to privilege escalation, lateral movement, and remote code execution across enterprise networks. 

Organizations relying solely on Microsoft’s previous patch for protection remain vulnerable to this sophisticated bypass technique.

This incident highlights the critical importance of defense-in-depth strategies and continuous security validation, even for vulnerabilities that vendors consider fully resolved.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.