The Patch Isn’t a Fix: New Flaw Lets Attackers Steal NTLM Hashes from Windows
Researchers at Cymulate Research Labs have disclosed a new vulnerability in Windows that allows attackers to bypass Microsoft’s recent patch and once again exfiltrate NTLM hashes without any user interaction. The flaw, tracked as CVE-2025-50154, effectively nullifies the protection introduced earlier this spring to address another vulnerability, CVE-2025-24054.
NTLM (New Technology LAN Manager) is a family of Microsoft authentication protocols used to validate credentials and safeguard network communications. Although NTLMv2 incorporates defenses against outdated techniques such as rainbow tables, intercepted hashes can still be weaponized. They may be cracked offline or leveraged in so-called relay attacks, where a stolen hash is forwarded to another service to impersonate the victim. If the compromised account holds elevated privileges, an adversary can swiftly seize complete control over the network.
The previously discovered flaw enabled attackers to craft a malicious shortcut that forced the system to automatically transmit NTLM hashes when fetching a remote icon file. Microsoft released a patch that blocked this vector. However, recent testing has revealed the fix was incomplete: if a shortcut references a remote executable while drawing its icon from a standard Windows library, the system still downloads the binary and simultaneously exposes the NTLM hash. All of this occurs silently, without any clicks or user action—the mere attempt by Explorer to render the icon is sufficient.
Although the downloaded file does not execute immediately, its very presence establishes a foothold for future exploitation. Such binaries can remain undetected by antivirus engines and other defenses for extended periods, later being weaponized for data theft, malware deployment, or lateral movement across the network.
In essence, the researchers have demonstrated that Microsoft’s “patch” only partially mitigated the issue. The new flaw reopens the door to credential leaks and the silent planting of potentially dangerous files on victim devices. Microsoft has acknowledged the vulnerability and is preparing a definitive update to resolve it.
Experts emphasize that this case underscores a critical reality: even after official patches are released, independent testing and defense-in-depth strategies remain indispensable. Installing updates alone is sometimes insufficient to fully eliminate risk.
