CVE-2025-50154
📋 TL;DR
This vulnerability in Windows File Explorer allows unauthorized attackers to perform network spoofing by exploiting exposed sensitive information. It enables attackers to trick users into connecting to malicious network shares, potentially leading to credential theft or further network compromise. All Windows systems with vulnerable File Explorer versions are affected.
💻 Affected Systems
- Windows File Explorer
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal NTLM credentials, perform man-in-the-middle attacks, gain unauthorized network access, and potentially move laterally within the network.
Likely Case
Credential harvesting through NTLM relay attacks, network spoofing to redirect users to malicious shares, and initial foothold establishment.
If Mitigated
Limited to isolated spoofing attempts that fail due to network segmentation, SMB signing enforcement, and credential protection measures.
🎯 Exploit Status
Proof-of-concept code available on GitHub. Requires user interaction but no authentication. Exploitation involves network spoofing techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest Windows security updates (check specific KB numbers for your OS version)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50154
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation with 'systeminfo' command.
🔧 Temporary Workarounds
Disable WebClient Service
WindowsPrevents WebDAV connections that could be exploited
sc config WebClient start= disabled
sc stop WebClient
Enable SMB Signing
Windows PowerShellRequires SMB packet signing to prevent relay attacks
Set-SmbClientConfiguration -RequireSecuritySignature $true
Set-SmbServerConfiguration -RequireSecuritySignature $true
🧯 If You Can't Patch
- Implement network segmentation to isolate critical systems
- Enable NTLM auditing and monitor for suspicious authentication attempts
- Educate users about risks of connecting to unfamiliar network shares
- Deploy endpoint detection to monitor for File Explorer exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if system has applied the specific security update for CVE-2025-50154 via 'systeminfo' or Windows Update historyCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows build number matches patched version. Test with available PoC scripts to confirm exploitation fails.📡 Detection & Monitoring
Log Indicators:
- Windows Security event ID 4625 (failed logon) with NTLM
- Event ID 5140 (network share access) to suspicious locations
- SMB client connection attempts to unexpected IPs
Network Indicators:
- Unusual SMB traffic patterns
- NTLM authentication attempts to multiple systems
- Network share enumeration from single source
SIEM Query:
source="WinEventLog:Security" (EventID=4625 OR EventID=5140) | search "NTLM" OR "SMB" | stats count by src_ip, dest_ip, user🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50154
- https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
- https://github.com/rubenformation/CVE-2025-50154/
- https://www.vicarius.io/vsociety/posts/cve-2025-50154-detection-script-zero-click-windows-file-explorer-spoofing-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-50154-mitigation-script-zero-click-windows-file-explorer-spoofing-vulnerability
