Windows File Explorer NTLM Credential Leak via Remote LNK Target Icon Extraction
CVE-2025-50154 is a Windows File Explorer information disclosure/spoofing-related vulnerability that bypasses Microsoft’s earlier fix for CVE-2025-24054. According to the provided content, the issue arises when Windows Explorer processes a specially crafted shortcut (LNK) whose displayed icon is not referenced directly through a remote UNC icon path, but instead is embedded as an icon resource inside a remote executable hosted on a UNC path. The shortcut uses a benign local icon setting while its target points to the remote binary. During normal rendering, explorer.exe automatically retrieves the remote executable in order to extract RT_ICON / RT_GROUP_ICON resources from the binary’s .rsrc section. That network retrieval triggers outbound NTLM authentication to the attacker-controlled SMB server without user interaction, leaking NTLMv2 material. The content further states that the remote file may be silently transferred to disk during this process even though it is not executed immediately. Microsoft assigned CVE-2025-50154 after researchers reported that the original patch focused on blocking UNC-based icon rendering but did not prevent Explorer from fetching a remote binary to obtain embedded icon resources.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository provides a Cobalt Strike Aggressor script (lnk_weaponizer.cna) and a standalone PowerShell script (standalone_lnk_weaponizer.ps1) for generating weaponized Windows LNK and Library-MS files. The primary purpose is to capture NTLMv2-SSP hashes from Windows systems by tricking users into opening these files, which point to attacker-controlled SMB shares. The Aggressor script integrates with Cobalt Strike, offering both GUI and command-line interfaces for file generation, including a right-click menu for beacons. The Library-MS technique implements a bypass for CVE-2025-24054, allowing for additional evasion of security controls. The PowerShell script supports both single-target and batch operations via CSV. The repository includes documentation (README.md, INSTALL.md), usage scenarios, and sample target files. The exploit is operational, providing real-world red team capabilities for credential capture and lateral movement in Windows environments.
This repository provides a proof-of-concept exploit for CVE-2025-50154, a Windows File Explorer zero-click NTLMv2-SSP hash disclosure vulnerability. The exploit consists of a PowerShell script (poc.ps1) that generates a malicious .LNK shortcut file. The shortcut's target path points to a remote SMB share hosting a binary file, while the icon is set to the default Windows shell32.dll. When a victim's Windows Explorer renders the shortcut, it attempts to fetch the icon from the remote file, causing the victim's NTLMv2-SSP hash to be sent to the attacker's SMB server. The repository includes a README with detailed usage instructions and a LICENSE file. The main exploit capability is to trigger NTLM hash disclosure over the network without user interaction, leveraging Windows Explorer's icon rendering behavior.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-click NTLM credential (NTLMv2 hash) leakage issue in Windows Explorer shortcut/icon handling that bypasses Microsoft’s prior fix for CVE-2025-24054. By crafting an LNK that points TargetPath to a remote UNC-hosted binary while using a local icon location, Explorer fetches the remote file to extract embedded icon resources, triggering automatic NTLM authentication to the attacker-controlled SMB server and leaking NTLM hashes; it can also stage a remote binary on disk without user interaction.
Referenced as an earlier vulnerability that CVE-2025-59214 bypasses; part of a chain of bypasses related to NTLM credential leakage protections.
A bypass of Microsoft’s prior fix for an NTLM credential leakage issue, indicating the earlier patch left a gap that still allowed NTLM hash leakage under certain conditions.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.