A newly disclosed vulnerability, tracked as CVE-2025-50154, exposes a critical flaw in Windows systems that bypasses Microsoft’s recent patch for CVE-2025-24054. The zero-click vulnerability enables attackers to steal NTLM authentication hashes from fully patched systems without any user interaction, proving that Microsoft’s April 2025 security update was incomplete. The flaw not only undermines Microsoft’s mitigation strategy but also introduces a dual threat: immediate credential theft and stealthy payload staging.

The vulnerability, discovered by a researcher, exploits the way Windows Explorer processes desktop shortcut (LNK) files. While Microsoft’s original patch blocked UNC path-based icon rendering, attackers can now embed malicious paths to remote binaries containing icon data within the .rsrc section. When Explorer attempts to extract the icons (RT_ICON and RT_GROUP_ICON), it triggers automatic SMB requests, forcing the victim machine to leak NTLMv2-SSP hashes to the attacker’s server. These hashes can later be cracked offline or abused in NTLM relay attacks, opening doors to lateral movement and privilege escalation.

More dangerously, this process causes entire remote binaries to be downloaded silently to the victim’s system during icon extraction. Although these executables are not executed immediately, forensic evidence from ProcMon shows that files are written in full size, effectively delivering a complete payload without user interaction. This creates a staging ground for malware deployment, persistence mechanisms, or future exploitation. Network captures via Wireshark confirm that Windows Explorer retrieves the entire executable during the process, turning a seemingly harmless shortcut file into a vehicle for both credential leakage and covert payload delivery.

Following disclosure, Microsoft acknowledged the flaw and assigned a dedicated CVE identifier, with a comprehensive fix currently in development. Until then, enterprise environments remain vulnerable to zero-click NTLM theft and silent binary infiltration, especially when high-privilege accounts are targeted. This discovery highlights the evolving complexity of authentication-based exploits, the limitations of single-layer patches, and the urgent need for defense-in-depth strategies. Organizations are advised to enforce network segmentation, limit NTLM use, monitor SMB traffic, and adopt continuous security validation to mitigate the risk from such sophisticated bypass techniques.