The Unpatchable Trap: New Windows Zero-Click NTLM Credential Leakage Threatens Fully Patched Systems

The cybersecurity landscape is a perpetual cat-and-mouse game. Organizations invest heavily in patches and security updates, trusting vendor assurances. Yet, a recent discovery reveals a concerning bypass, demonstrating that even the most diligent patching efforts can leave critical vulnerabilities exposed. A new zero-click NTLM credential leakage vulnerability, CVE-2025-50154, has emerged, effectively circumventing Microsoft’s previous fix for a similar flaw (CVE-2025-24054). This development demands immediate attention from IT professionals and security analysts.

Understanding the NTLM Credential Leakage Bypass

The core of this new threat lies in its ability to extract NTLM hashes from Windows systems without requiring any user interaction. This “zero-click” nature is particularly insidious, as it removes the traditional barriers of user awareness or social engineering. Attackers can potentially obtain these valuable NTLM hashes by simply sending a crafted malicious request, unbeknownst to the user or system administrator.

Previously, Microsoft issued a patch to address CVE-2025-24054, aiming to mitigate NTLM credential leakage risks. However, the newly identified vulnerability, , demonstrates that this patch was incomplete. Researchers have successfully proven that fully updated Windows systems, incorporating the April security updates, remain susceptible to this form of NTLM hash theft.

The Risk: Why NTLM Hashes are a Golden Ticket for Attackers

NTLM (NT LAN Manager) hashes are a critical component of Windows authentication. While not the plaintext password, an NTLM hash can be used in various attacks to gain unauthorized access to systems and resources:

• Pass-the-Hash (PtH) Attacks: This technique allows attackers to authenticate to network services using stolen NTLM hashes, bypassing the need for the actual password.
• Offline Cracking: Given sufficient computational power, attackers can attempt to crack the NTLM hashes offline to recover the original passwords, especially if users employ weak or common passwords.
• Lateral Movement: Stolen NTLM hashes are frequently used to move laterally within a compromised network, escalating privileges and accessing sensitive data.

The zero-click nature of CVE-2025-50154 significantly lowers the bar for exploitation, making it a critical concern for any organization relying on Windows infrastructure.

Remediation Actions and Mitigations

Given that a direct patch from Microsoft is currently outstanding for CVE-2025-50154, organizations must implement proactive mitigation strategies to reduce exposure:

• Implement NTLM Block/Restriction Policies: Where feasible, consider restricting or entirely blocking NTLM authentication and enforcing Kerberos or other modern authentication protocols. This is often achievable via Group Policy Objects (GPOs).
• Enable Extended Protection for Authentication (EPA): EPA helps mitigate relay attacks by binding requests to the TLS channel. While not a direct fix for leakage, it can strengthen the overall authentication process.
• Network Segmentation: Isolate critical systems and sensitive data behind robust network segmentation to limit the blast radius if an attack successfully extracts NTLM hashes.
• Leverage PowerShell Transcriptions and Event Logging: Ensure comprehensive logging of NTLM authentication attempts, especially failed ones, and PowerShell activity. This can assist in detecting potential exploitation attempts or post-exploitation activities.
• Endpoint Detection and Response (EDR) Solutions: Deploy and tune EDR solutions to monitor for suspicious processes, network connections, and credential access attempts that might indicate the use of stolen NTLM hashes.
• Principle of Least Privilege: Reinforce strict adherence to the principle of least privilege across all user accounts and services.

Detection and Analysis Tools

While a direct patch for CVE-2025-50154 is awaited, several tools can assist in detecting related activities or strengthening defenses against NTLM relay and credential theft:

Tool Name	Purpose	Link
BloodHound	Identifies complex attack paths in Active Directory environments, including those leveraging NTLM relay or compromised credentials.	https://bloodhoundenterprise.io/
Responder	A LLMNR, NBT-NS, and MDNS poisoner, designed to capture NTLMv1/v2 hashes. Useful for understanding a network’s susceptibility.	https://github.com/lgandx/Responder
CrackMapExec (CME)	A versatile post-exploitation tool that can test for NTLM relay vulnerabilities and perform pass-the-hash attacks.	https://github.com/byt3bl33d3r/CrackMapExec
ADManager Plus	An Active Directory management tool that can help enforce policies like NTLM blocking and monitor AD changes.	https://www.manageengine.com/products/ad-manager/

Conclusion

The discovery of CVE-2025-50154 serves as a stark reminder that cybersecurity resilience is an ongoing process, not a destination. Even after applying vendor patches, organizations must remain vigilant and continuously assess their security posture. The ability of this new zero-click vulnerability to bypass a previous patch highlights the need for deep defensive layers and proactive mitigation strategies. As we await a comprehensive fix from Microsoft, implementing robust NTLM restrictions and vigilant monitoring remains paramount to protecting sensitive credentials and maintaining network integrity.