CVE-2025-50154

Published Aug 12, 2025

Last updated a month ago

CVSS medium 6.5
Microsoft
Windows File Explorer

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-50154 is a vulnerability that bypasses a previous Microsoft security patch (CVE-2025-24054) and allows for the extraction of NTLM hashes without user interaction, even on fully patched systems. This is achieved by exploiting a gap in the original mitigation, enabling automatic NTLM authentication requests. The vulnerability involves manipulating Windows shortcut files (LNK) and how the explorer.exe process handles remote binary retrieval. Specifically, the bypass works because the initial patch didn't fully address how icons are rendered for remote binary files. Even though the patch prevented shortcuts from rendering icons based on UNC paths, it didn't account for remote binaries that store their own icon data. When Windows Explorer attempts to display a specially crafted shortcut, it retrieves the entire remote binary to extract the icon, triggering NTLM authentication in the process, without requiring any user clicks.

Description
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
windows_10_1507, windows_10_1607, windows_10_1809, windows_10_21h2, windows_10_22h2, windows_11_22h2, windows_11_23h2, windows_11_24h2, windows_server_2008, windows_server_2012, windows_server_2016, windows_server_2019, windows_server_2022, windows_server_2022_23h2, windows_server_2025

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

secure@microsoft.com
CWE-200

Social media

Hype score
Not currently trending

  1. The following vulnerabilities have been added to our feed: - CVE-2025-33053: Microsoft Windows Internet Shortcut Files RCE - CVE-2025-25257: Fortinet FortiWeb RCE - CVE-2025-50154: Microsoft Windows File Explorer NTLM Leak https://t.co/av7UZS4l6H

    @crowdfense

    16 Oct 2025

    2191 Impressions

    3 Retweets

    23 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-50154 Microsoft Windows File Explorer Spoofing Vulnerability https://t.co/wnzgsR0oHx #SecQube #cybersecurity

    @SecQube

    18 Sept 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. POC for CVE-2025-50154, a zero day vulnerability on windows file explorer disclosing NTLMv2-SSP without user interaction. It is a bypass for the CVE-2025-24054 Security Patch

    @Jeyso215

    8 Sept 2025

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Beware the Cursed Shortcut (CVE-2025-50154) — a zero-click vulnerability in File Explorer that steals NTLM hashes at a mere glance. Patch now or risk letting the killer rabbit slip through your gates. https://t.co/mjtJ0M6O8M

    @vicariusltd

    20 Aug 2025

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154)  By: Ruben Enkaoua https://t.co/J3yxOUiPGu https://t.co/mnqz39hviv

    @7h3h4ckv157

    19 Aug 2025

    3681 Impressions

    18 Retweets

    84 Likes

    35 Bookmarks

    1 Reply

    0 Quotes

  6. 𝗭𝗲𝗿𝗼 𝗖𝗹𝗶𝗰𝗸, 𝗢𝗻𝗲 𝗡𝗧𝗟𝗠: 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗣𝗮𝘁𝗰𝗵 𝗕𝘆𝗽𝗮𝘀𝘀 A newly discovered zero-click vulnerability, CVE-2025-50154, bypasses a Microsoft patch, allo

    @0x534c

    13 Aug 2025

    28869 Impressions

    66 Retweets

    252 Likes

    206 Bookmarks

    1 Reply

    1 Quote

  7. Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154) https://t.co/SfjlNVimhm https://t.co/OhJRkFiVeh

    @5mukx

    13 Aug 2025

    11140 Impressions

    54 Retweets

    267 Likes

    128 Bookmarks

    3 Replies

    0 Quotes

  8. CVE-2025-50154:Zero Click, One NTLM: Patch Bypass - https://t.co/gX2CwP09XP

    @piedpiper1616

    13 Aug 2025

    1150 Impressions

    5 Retweets

    21 Likes

    9 Bookmarks

    1 Reply

    0 Quotes

  9. Find the POC for my new finding, CVE-2025-50154, a zero day vulnerability on windows file explorer disclosing NTLMv2-SSP without user interaction. It is a bypass for the CVE-2025-24054 Security Patch. https://t.co/JKA8zuyYnl

    @RubenLabs

    13 Aug 2025

    1822 Impressions

    17 Retweets

    24 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  10. Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154) https://t.co/whuakYDRVC

    @netbiosX

    12 Aug 2025

    3596 Impressions

    16 Retweets

    71 Likes

    37 Bookmarks

    1 Reply

    0 Quotes

  11. You didn’t click, but your password challenge is leaked. I’m excited to share my latest research: CVE-2025-50154, a high severity NTLM hash disclosure vulnerability in the explorer.exe process, exploitable without any user interaction. https://t.co/ssA9YdBE6J

    @RubenLabs

    12 Aug 2025

    4665 Impressions

    19 Retweets

    55 Likes

    38 Bookmarks

    0 Replies

    4 Quotes

  12. Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154) https://t.co/3jH4C9Tz17 https://t.co/d0lmBk0L2O

    @secharvesterx

    12 Aug 2025

    69 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154) https://t.co/W5xWsbvEck

    @_r_netsec

    12 Aug 2025

    1437 Impressions

    2 Retweets

    7 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-50154 Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. https://t.co/IIDkpy4gJL

    @CVEnew

    12 Aug 2025

    231 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.