Security researchers at Cymulate Research Labs have discovered a critical zero-click NTLM credential leakage vulnerability that successfully bypasses Microsoft’s security patch for CVE-2025-24054, demonstrating that the original fix was incomplete and leaving millions of Windows systems exposed to sophisticated attacks.
The newly identified vulnerability, assigned CVE-2025-50154, allows attackers to extract NTLMv2-SSP hashes without any user interaction, even on fully patched Windows systems.
Unlike the original CVE-2025-24054 that Microsoft addressed in April, this bypass exploit leverages a subtle gap in the mitigation strategy, enabling automatic NTLM authentication requests that can lead to credential theft, privilege escalation, and lateral movement across enterprise networks.
The exploit works by manipulating Windows shortcut files (LNK) and exploiting how the explorer.exe process handles remote binary retrieval.
While Microsoft’s patch prevented shortcuts from rendering icons based on UNC paths, researchers discovered that the fix doesn’t apply to remote binary files that store icon data within their own .rsrc section under RT_ICON and RT_GROUP_ICON headers.
Technical Exploitation Mechanism
The attack begins when a specially crafted LNK file is created with the icon set to the default shell32.dll while pointing the executable value to a distant file path.
When Windows Explorer attempts to display the shortcut, it automatically retrieves the entire remote binary to extract icon information, triggering NTLM authentication in the process.
During testing with Wireshark packet analysis and SMB server monitoring, researchers observed that the complete binary file is transferred without any user clicks.
This zero-click behavior not only exposes NTLM hashes for offline brute-force attacks or NTLM relay attacks but also enables silent payload delivery directly to victim systems.
The vulnerability bypasses traditional rainbow tables and pass-the-hash protections inherent in NTLMv2 by facilitating man-in-the-middle scenarios where stolen hashes can be relayed to other services.
Using tools like sysinternals procmon, researchers confirmed that malicious binaries are successfully created on target systems with full size allocation.
This challenge/response protocol weakness poses significant risks for organizations relying solely on Microsoft’s previous patch for protection against NTLM credential leakage.
The exploit increases attack surfaces for RCE scenarios, particularly when targeting high-privilege accounts that could enable ransomware deployment and comprehensive network compromise.
Cymulate responsibly disclosed their findings to the Microsoft Security Response Center (MSRC), which has officially recognized the vulnerability with CVE-2025-50154.
Microsoft is expected to release a comprehensive security update addressing this defense-in-depth gap.
The discovery underscores the importance of thorough patch validation and continuous security testing, as seemingly minor oversights in vulnerability remediation can leave critical systems exposed to sophisticated precomputed attacks and advanced persistent threats targeting Windows authentication infrastructure.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
