CVE-2025-50154 Overview
CVE-2025-50154 is an information disclosure vulnerability in Windows File Explorer that enables unauthorized attackers to perform spoofing attacks over a network. This zero-click vulnerability exposes sensitive information to unauthorized actors, potentially allowing NTLM credential theft without requiring any user interaction beyond navigating to a malicious folder.
The vulnerability affects a wide range of Windows operating systems, from legacy versions like Windows Server 2008 to the latest Windows 11 and Windows Server 2025 releases, making it a significant concern for enterprise environments with mixed Windows deployments.
Critical Impact
This vulnerability enables network-based spoofing attacks that can expose sensitive NTLM authentication credentials without user interaction, potentially leading to pass-the-hash attacks and lateral movement within enterprise networks.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022 and 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- August 12, 2025 - CVE-2025-50154 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-50154
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists within Windows File Explorer's handling of certain file types that can force outbound SMB connections when a user simply navigates to a folder containing a malicious file.
The attack is particularly dangerous because it requires no user interaction beyond browsing to a folder—there is no need to open, execute, or interact with the malicious file. When File Explorer renders the folder contents, it automatically processes the malicious file, triggering an outbound connection to an attacker-controlled server. This connection leaks the user's NTLM hash, which can be captured and subsequently cracked offline or used in relay attacks.
This vulnerability has been identified as a bypass of previous Microsoft security patches addressing similar NTLM leak issues, indicating that the underlying mechanism for preventing forced authentication attempts was incomplete.
Root Cause
The root cause of CVE-2025-50154 lies in Windows File Explorer's automatic processing of certain embedded file attributes during folder enumeration. When File Explorer encounters files with specially crafted metadata or embedded paths pointing to external UNC paths, it attempts to resolve these references automatically without adequate security checks.
This behavior causes the system to initiate SMB authentication to attacker-controlled servers, inadvertently transmitting the user's NTLM credentials in the authentication handshake. The vulnerability exists because File Explorer does not properly restrict or validate outbound authentication attempts when processing file metadata.
Attack Vector
The attack leverages network-based delivery where an attacker creates a malicious file designed to exploit the File Explorer vulnerability. The attack flow typically involves:
- Preparation: The attacker crafts a malicious file containing embedded UNC paths pointing to an attacker-controlled SMB server
- Delivery: The file is delivered to the victim via email attachment, shared network folder, downloaded archive, or USB drive
- Trigger: The victim navigates to the folder containing the malicious file using Windows File Explorer
- Credential Capture: File Explorer automatically processes the file, triggering an SMB connection to the attacker's server, which captures the NTLM hash
- Exploitation: The captured hash can be cracked offline or used in NTLM relay attacks for lateral movement
The attack requires no clicks or file interaction from the user—simply viewing the folder is sufficient to trigger credential exposure.
Detection Methods for CVE-2025-50154
Indicators of Compromise
- Unexpected outbound SMB connections (port 445) to external IP addresses or unusual hostnames
- File Explorer processes (explorer.exe) initiating connections to non-internal network destinations
- Presence of suspicious files with embedded UNC paths in shared folders or email attachments
- Authentication logs showing NTLM authentication attempts to unknown or external servers
Detection Strategies
- Monitor outbound SMB traffic for connections to non-corporate IP ranges using network security tools or firewalls
- Implement endpoint detection rules to alert on explorer.exe establishing connections to external destinations
- Review Windows Security Event logs (Event ID 4624, 4625) for anomalous NTLM authentication patterns
- Deploy detection scripts such as the Vicarius Detection Script for CVE-2025-50154
Monitoring Recommendations
- Configure SIEM rules to correlate outbound SMB traffic with File Explorer process activity
- Enable Enhanced NTLM logging to capture detailed authentication events for forensic analysis
- Monitor for files with suspicious embedded metadata or UNC paths in user-accessible directories
- Implement network segmentation to restrict outbound SMB traffic from workstations to the internet
How to Mitigate CVE-2025-50154
Immediate Actions Required
- Apply the latest Microsoft security updates for all affected Windows versions immediately
- Block outbound SMB traffic (port 445) at the network perimeter firewall to prevent credential leakage to external servers
- Configure Windows Firewall to block outbound SMB connections from workstations to non-trusted networks
- Review and restrict NTLM authentication using Group Policy where possible
Patch Information
Microsoft has released security updates addressing this vulnerability. Refer to the Microsoft CVE-2025-50154 Update Guide for detailed patch information and download links specific to each affected Windows version.
Organizations should prioritize patching given the zero-click nature of this vulnerability and the availability of proof-of-concept exploits. The GitHub PoC for CVE-2025-50154 demonstrates the exploitability of this issue.
Workarounds
- Block outbound SMB traffic (TCP port 445) at the network perimeter to prevent credential theft to external servers
- Configure Group Policy to restrict NTLM authentication: Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and configure "Network security: Restrict NTLM" settings
- Utilize the Vicarius Mitigation Script for CVE-2025-50154 for automated mitigation deployment
- Consider implementing SMB signing and encryption to reduce relay attack effectiveness
# Block outbound SMB traffic using Windows Firewall
netsh advfirewall firewall add rule name="Block Outbound SMB" dir=out action=block protocol=tcp remoteport=445
# Verify the rule was created
netsh advfirewall firewall show rule name="Block Outbound SMB"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
