New Zero-Click NTLM Credential Leak Exploit Bypasses Microsoft Patch for CVE-2025-24054

Security researchers at Cymulate Research Labs have discovered a critical zero-click NTLM credential leakage vulnerability that successfully bypasses Microsoft’s security patch for CVE-2025-24054, demonstrating that the original fix was incomplete and leaving millions of Windows systems exposed to sophisticated attacks.

The newly identified vulnerability, assigned CVE-2025-50154, allows attackers to extract NTLMv2-SSP hashes without any user interaction, even on fully patched Windows systems.

Unlike the original CVE-2025-24054 that Microsoft addressed in April, this bypass exploit leverages a subtle gap in the mitigation strategy, enabling automatic NTLM authentication requests that can lead to credential theft, privilege escalation, and lateral movement across enterprise networks.

The exploit works by manipulating Windows shortcut files (LNK) and exploiting how the explorer.exe process handles remote binary retrieval.

While Microsoft’s patch prevented shortcuts from rendering icons based on UNC paths, researchers discovered that the fix doesn’t apply to remote binary files that store icon data within their own .rsrc section under RT_ICON and RT_GROUP_ICON headers.

Technical Exploitation Mechanism

The attack begins when a specially crafted LNK file is created with the icon set to the default shell32.dll while pointing the executable value to a distant file path.

When Windows Explorer attempts to display the shortcut, it automatically retrieves the entire remote binary to extract icon information, triggering NTLM authentication in the process.

During testing with Wireshark packet analysis and SMB server monitoring, researchers observed that the complete binary file is transferred without any user clicks.

This zero-click behavior not only exposes NTLM hashes for offline brute-force attacks or NTLM relay attacks but also enables silent payload delivery directly to victim systems.

The vulnerability bypasses traditional rainbow tables and pass-the-hash protections inherent in NTLMv2 by facilitating man-in-the-middle scenarios where stolen hashes can be relayed to other services.

Using tools like sysinternals procmon, researchers confirmed that malicious binaries are successfully created on target systems with full size allocation.

This challenge/response protocol weakness poses significant risks for organizations relying solely on Microsoft’s previous patch for protection against NTLM credential leakage.

The exploit increases attack surfaces for RCE scenarios, particularly when targeting high-privilege accounts that could enable ransomware deployment and comprehensive network compromise.

Cymulate responsibly disclosed their findings to the Microsoft Security Response Center (MSRC), which has officially recognized the vulnerability with CVE-2025-50154.

Microsoft is expected to release a comprehensive security update addressing this defense-in-depth gap.

The discovery underscores the importance of thorough patch validation and continuous security testing, as seemingly minor oversights in vulnerability remediation can leave critical systems exposed to sophisticated precomputed attacks and advanced persistent threats targeting Windows authentication infrastructure.

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!