CVE-2025-50154

MEDIUM

Windows File Explorer - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-50154. PoCs published by Ruben Enkaoua, rubenformation, zenzue.

AI-analyzed exploit summary This PowerShell script generates a malicious LNK file that triggers NTLMv2-SSP hash disclosure by forcing Windows Explorer to fetch an icon from a remote SMB share. It exploits CVE-2025-50154, a patch bypass for CVE-2025-24054, to leak authentication hashes.

Description

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.

Exploits (5)

exploitdb WORKING POC

by Ruben Enkaoua · textremotewindows

https://www.exploit-db.com/exploits/52415

View Code ZIP pw:eip

This PowerShell script generates a malicious LNK file that triggers NTLMv2-SSP hash disclosure by forcing Windows Explorer to fetch an icon from a remote SMB share. It exploits CVE-2025-50154, a patch bypass for CVE-2025-24054, to leak authentication hashes.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows 10.0.19045 (and prior versions before August 2025 patch)

No auth needed

Prerequisites: Responder or similar SMB listener running on attacker-controlled IP · Write access to a directory where the LNK file can be placed

MITRE ATT&CK

T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 52 stars

by rubenformation · poc

https://github.com/rubenformation/CVE-2025-50154

View Code ZIP pw:eip

This repository contains a functional PowerShell script that generates a malicious .LNK file to trigger NTLMv2-SSP hash disclosure in Windows File Explorer via SMB. The exploit bypasses a Microsoft patch by using a remote SMB-hosted binary to force icon extraction.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Windows File Explorer (explorer.exe)

No auth needed

Prerequisites: Access to a remote SMB server hosting a binary file · Ability to deliver the .LNK file to the victim's system

MITRE ATT&CK

T1187 - Forced Authentication T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP 3 stars

by zenzue · poc

https://github.com/zenzue/CVE-2025-50154

View Code ZIP pw:eip

This repository provides a PowerShell script for auditing and hardening NTLM/SMB configurations to mitigate vulnerabilities like CVE-2025-50154. It includes registry checks, firewall rule assessments, and allowlist management for SMB/NTLM traffic.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Windows NTLM/SMB configurations

Auth required

Prerequisites: Administrative access to modify registry and firewall settings

MITRE ATT&CK

T1112 - Modify Registry T1562.001 - Disable or Modify Tools

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by MartinxMax · poc

https://github.com/MartinxMax/CVE-2025-50154

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-50154, targeting a Windows File Explorer vulnerability. The exploit generates a malicious .lnk file and includes functionality to crack NTLM hashes using Hashcat.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows File Explorer (Windows < 10/11)

No auth needed

Prerequisites: Network access to the target system · Ability to deliver the malicious .lnk file to the target

MITRE ATT&CK

T1204 - User Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Ash1996x · poc

https://github.com/Ash1996x/CVE-2025-50154-Aggressor-Script

View Code ZIP pw:eip

This repository contains a Cobalt Strike Aggressor script that weaponizes LNK and Library-MS files to capture NTLMv2-SSP hashes via SMB. It includes a standalone PowerShell script and integrates with Cobalt Strike for red team operations.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Windows systems with PowerShell and SMB access

No auth needed

Prerequisites: Cobalt Strike licensed version · SMB server for hash collection (e.g., Responder, Metasploit) · PowerShell enabled on target systems

MITRE ATT&CK

T1566.002 - Spearphishing Link T1187 - Forced Authentication

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50154

Exploit, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-50154-detection-script-zero-click-windows-file-explorer-spoofing-vulnerability

Exploit, Mitigation, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-50154-mitigation-script-zero-click-windows-file-explorer-spoofing-vulnerability

Various Sources

https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/

Various Sources

https://github.com/rubenformation/CVE-2025-50154/

View Writeup ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.2759

EPSS Percentile 96.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (17)

microsoft/windows_10_1507 < 10.0.10240.21100 (2 CPE variants)

microsoft/windows_10_1607 < 10.0.14393.8330 (2 CPE variants)

microsoft/windows_10_1809 < 10.0.17763.7678 (2 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.6216

microsoft/windows_10_22h2 < 10.0.19045.6216

microsoft/windows_11_22h2 < 10.0.22621.5768

microsoft/windows_11_23h2 < 10.0.22631.5768

microsoft/windows_11_24h2 < 10.0.26100.4851

microsoft/windows_server_2008 (2 CPE variants)

microsoft/windows_server_2008 r2 sp1

... and 7 more

Published Aug 12, 2025

Tracked Since Feb 18, 2026