Do you use Windows? Your passwords can be stolen without a single click
Microsoft fixed the hash leak through icons — and reopened it through executable files
Microsoft fixed the hash leak through icons — and reopened it through executable files
Researchers from Cymulate Research Labs have reported a new vulnerability in Windows that allows attackers to bypass Microsoft’s recent patch and once again cause NTLM hash leaks without any user interaction. The issue has been assigned CVE-2025-50154 and effectively nullifies the protection released in the spring to address a previous vulnerability (CVE-2025-24054).
NTLM (New Technology LAN Manager) is a family of Microsoft authentication protocols used to verify credentials and secure network connections. Even though NTLMv2 offers protection against outdated methods such as “rainbow tables,” intercepted hashes can still be abused: attackers may attempt offline cracking or carry out so-called relay attacks, where the stolen hash is forwarded to another service to impersonate the victim. If the targeted account has elevated privileges, the attacker can quickly gain full control over the network.
The earlier vulnerability allowed specially crafted shortcuts to force the system into automatically sending an NTLM hash when fetching a remote icon file. Microsoft released an update that blocked this scenario. However, new tests showed that the patch was incomplete: if a shortcut points to a remote executable file while the icon is loaded from a standard Windows library, the system still automatically retrieves the binary — and in the process, leaks the NTLM hash. Importantly, all this happens without any clicks or user actions — it is enough for Explorer to attempt to render the icon.
Although the downloaded file is not executed immediately, its mere presence on the computer creates a foothold for future attacks. Such a binary may remain unnoticed by antivirus software and other defenses for a long time, and later be used to steal data, install malware, or spread across the network.
In essence, researchers demonstrated that Microsoft’s “fix” only addressed part of the problem. The new bug once again opens the door to credential leaks and the placement of potentially dangerous files on devices. Microsoft has acknowledged the vulnerability and is preparing an update expected to resolve it once and for all.
Experts note that this case clearly illustrates why, even after official patches are released, independent testing and multi-layered protection remain critical. Simply installing updates is sometimes not enough to fully eliminate risks.
