Frequently Asked Questions

NTLM Vulnerability & Technical Research

What is the NTLM vulnerability CVE-2025-59214 discovered by Cymulate?

CVE-2025-59214 is a zero-click NTLM credential-leakage vulnerability discovered by Cymulate Research Labs. It allows attackers to extract NTLM hashes without any user interaction, even on fully patched Microsoft systems. This vulnerability bypasses previous patches (CVE-2025-24054 and CVE-2025-50154), enabling offline cracking or relay attacks that can lead to privilege escalation, lateral movement, and remote code execution. Read the full research.

How does the CVE-2025-59214 vulnerability impact organizations using Microsoft authentication?

The vulnerability increases the attack surface for organizations relying on Microsoft's NTLM authentication, especially those depending solely on the April patch for protection. Attackers can exploit this flaw to trigger NTLM authentication requests automatically, leading to credential theft, privilege escalation, and lateral movement without user interaction. This highlights the need for continuous validation and not relying solely on vendor patches for security.

How did Cymulate Research Labs discover and disclose the NTLM vulnerability?

Cymulate Research Labs discovered the NTLM vulnerability during ongoing security research. The team responsibly disclosed their findings to the Microsoft Security Response Center (MSRC), resulting in the official recognition and assignment of CVE-2025-59214. The research process included reproducing the vulnerability on fully patched Windows Server 2022 systems and collaborating with third-party security platforms like 0patch.

What is NTLM and why is it important in network security?

NTLM (New Technology LAN Manager) is Microsoft's family of authentication protocols used to confirm user identities and safeguard network communications. It uses a challenge/response process to authenticate users without transmitting actual passwords. However, captured NTLM hashes can be exploited for brute-force or relay attacks, potentially leading to privilege escalation and lateral movement within a network.

How did Microsoft respond to the NTLM leak vulnerabilities?

Microsoft released patches for the NTLM vulnerabilities (CVE-2025-24054 and CVE-2025-50154), but Cymulate's research showed that these patches were insufficient. The vulnerability persisted even after the August 2025 update (KB5063880). Microsoft acknowledged that the original fix had a gap, allowing NTLM authentication hashes to leak via alternative execution paths. A new security update is expected to address the issue fully as of October 14, 2025.

How can organizations test for exposure to CVE-2025-59214 using Cymulate?

An assessment for CVE-2025-59214 is now live on the Cymulate platform. Security teams can immediately test for exposure by running Cymulate's automated assessments, which validate real-world attack paths and help strengthen threat resilience. Request a Cymulate demo to see this in action.

Why is continuous threat validation important for defending against zero-day vulnerabilities?

Continuous threat validation is essential because even patched vulnerabilities can remain exploitable due to incomplete fixes or overlooked attack paths. Cymulate's research on CVE-2025-59214 demonstrates that relying solely on vendor patches can leave organizations exposed. Automated, ongoing validation helps identify and address gaps before attackers can exploit them.

What lessons can be learned from the repeated bypasses of NTLM vulnerability patches?

The repeated bypasses of NTLM vulnerability patches highlight the importance of rigorous patch validation, defense-in-depth, and continuous adversarial testing. Minor oversights in security checks can reopen critical attack paths, making it crucial for organizations to validate their defenses beyond applying vendor updates.

Who conducted the research on CVE-2025-59214 at Cymulate?

The research on CVE-2025-59214 was conducted by Ruben Enkaoua, a cybersecurity researcher at Cymulate with expertise in Windows internals and offensive security. Ruben is part of Cymulate Research Labs, which focuses on discovering and responsibly disclosing critical vulnerabilities. Learn more about the author.

Where can I find more technical details and proof-of-concept code for the NTLM vulnerabilities?

Technical details and proof-of-concept (POC) code for the NTLM vulnerabilities, including CVE-2025-50154 and CVE-2025-59214, are available on Cymulate's blog and the researcher's GitHub repository. Read the blog and access the POC on GitHub.

What is the role of third-party platforms like 0patch in vulnerability management?

Third-party platforms like 0patch provide micro patches—small, hot-applied fixes that can close vulnerabilities instantly without requiring system reboots or full software updates. In the case of CVE-2025-59214, 0patch collaborated with Cymulate to confirm the vulnerability's persistence on fully updated systems, highlighting the value of independent validation.

How does Cymulate Exposure Validation help with advanced security testing?

Cymulate Exposure Validation enables organizations to perform advanced security testing quickly and easily. It allows users to build custom attack chains and validate their defenses against real-world threats, all within a single platform. This helps security teams identify gaps and improve their threat resilience efficiently. Learn more about Exposure Validation.

What are the key takeaways from Cymulate's NTLM vulnerability research?

The key takeaways are: even patched vulnerabilities can remain exploitable, continuous validation is essential, and organizations should not rely solely on vendor patches for security. Defense-in-depth and adversarial testing are necessary to ensure true resilience against evolving threats.

How can I request a personalized Cymulate demo to see threat validation in action?

You can request a personalized Cymulate demo by visiting the Book a Demo page. This allows you to experience how Cymulate's continuous validation strengthens threat resilience and helps your organization stay ahead of potential exploits like CVE-2025-59214.

Where can I find more Cymulate research on Microsoft vulnerabilities?

Cymulate regularly publishes research on Microsoft vulnerabilities and other security topics on their blog. Recent posts include analyses of CVE-2025-50154, task scheduler vulnerabilities, and more.

What is the Cymulate Research Labs' approach to responsible disclosure?

Cymulate Research Labs follows a responsible disclosure process by reporting vulnerabilities to affected vendors (such as Microsoft) before publicizing technical details. This ensures vendors have the opportunity to address the issues and protect users before attackers can exploit them.

How does Cymulate help organizations stay ahead of emerging threats?

Cymulate helps organizations stay ahead of emerging threats by providing continuous threat validation, automated attack simulations, and daily updates to its extensive threat library. This proactive approach enables security teams to identify and remediate vulnerabilities before attackers can exploit them. Learn more about optimizing threat resilience.

What is the significance of the CVE-2025-59214 vulnerability for security teams?

The CVE-2025-59214 vulnerability demonstrates that even well-publicized and patched vulnerabilities can remain exploitable due to overlooked technical details. Security teams must adopt continuous validation and defense-in-depth strategies to ensure their environments are truly secure against evolving threats.

How does Cymulate's platform support defense-in-depth strategies?

Cymulate's platform supports defense-in-depth by enabling organizations to simulate the full attack lifecycle, validate controls across prevention, detection, and response, and automate mitigation through integrations with existing security tools. This layered approach helps reduce risk and improve overall security posture.

What is Cymulate's Exposure Management Platform?

The Cymulate Exposure Management Platform is a unified solution that combines Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It enables organizations to continuously validate their security posture, prioritize exposures, and automate mitigation actions. Learn more about the platform.

Features & Capabilities

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, unified exposure management, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. These features help organizations improve security posture, operational efficiency, and resilience. See all features.

Does Cymulate integrate with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit the Partnerships and Integrations page.

How easy is it to implement Cymulate and start using it?

Cymulate is designed for quick and easy implementation. It operates in agentless mode, requiring no additional hardware or complex configurations. Customers can start running simulations almost immediately, with comprehensive support and educational resources available. Schedule a demo to learn more.

What security and compliance certifications does Cymulate hold?

Cymulate holds several industry-leading certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. See all certifications.

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a strict Secure Development Lifecycle (SDLC). The platform is also GDPR-compliant and includes mandatory 2FA, RBAC, and IP address restrictions. Learn more about security at Cymulate.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. For example, Raphael Ferreira, Cybersecurity Manager, said, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture." Read more testimonials.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, schedule a demo with the Cymulate team.

How does Cymulate compare to other security validation platforms?

Cymulate stands out by offering a unified platform that integrates Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It provides continuous, automated attack simulations, AI-powered remediation, and complete kill chain coverage. Customers report measurable outcomes such as a 52% reduction in critical exposures and an 81% reduction in cyber risk within four months. See Cymulate vs. competitors.

What business impact can customers expect from using Cymulate?

Customers can expect improved security posture (up to 52% reduction in critical exposures), operational efficiency (60% increase in team efficiency), faster threat validation (40X faster than manual methods), cost savings, and enhanced threat resilience (81% reduction in cyber risk within four months). Learn more about business impact.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Learn more about roles.

What are some real-world case studies demonstrating Cymulate's value?

Case studies include Hertz Israel reducing cyber risk by 81% in four months, a sustainable energy company scaling penetration testing cost-effectively, and Nemours Children's Health improving detection in hybrid environments. See all case studies.

Where can I find Cymulate's blog, newsroom, and resource hub?

You can find the latest research, news, and resources on the Cymulate blog, newsroom, and Resource Hub.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. Learn more about Cymulate.

How does Cymulate address common pain points in security operations?

Cymulate addresses pain points such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, and operational inefficiencies by providing unified, automated, and actionable security validation solutions. Learn more.

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Patched Twice, Still Bypassed: New NTLM Leak (CVE-2025-59214) 

By: Ruben Enkaoua

Last Updated: October 29, 2025

blog illustration Patched Twice, Still Bypassed: New NTLM Leak (CVE-2025-59214)

Executive Summary 

As part of our ongoing security research at Cymulate Research Labs, I discovered a zero-click NTLM credential-leakage vulnerability that bypasses Microsoft’s patch for CVE-2025-24054. A patch was released and assigned to CVE-2025-50154. But it turned out that the patch wasn’t working. 

The bypass, now CVE-2025-59214, allows an attacker to extract NTLM hashes without any user interaction, even on fully patched systems. By exploiting a subtle gap left in the mitigation, an attacker can trigger NTLM authentication requests automatically, enabling offline cracking or relay attacks to gain unauthorized access. 

The risk is significant: NTLM relay attacks can lead to privilege escalation, lateral movement and RCE with no user interaction. It increases the attack surface for organizations that rely especially when targeting high-value accounts. Since this exploit requires zero user interaction, it increases the attack surface for organizations relying solely on Microsoft’s April patch for protection. 

We responsibly disclosed our findings to the Microsoft Security Response Center (MSRC), and the vulnerability has been officially recognized with its own CVE identifier. A new security update is expected to fully address the issue (October 14, 2025). 

An assessment for this vulnerability is now live on the Cymulate platform, enabling customers to immediately test for exposure. By validating real-world attack paths, security teams can strengthen threat resilience and stay ahead of potential exploitation.

What is NTLM? 

NTLM, short for New Technology LAN Manager, is Microsoft’s family of authentication protocols used to confirm user identities and safeguard network communications. It works through a direct client–server “challenge/response” process, the server issues a challenge, and the client proves its identity without ever transmitting the actual password across the network. 

While NTLMv2 is protected against precomputed attacks like rainbow tables and pass-the-hash, captured hashes can still be exploited. Attackers may try to brute-force them offline or use a relay attacks, a man-in-the-middle method where the stolen hash is passed to another service to log in as the user. If the compromised account has elevated privileges, this can quickly lead to privilege escalation and lateral movement across the network. 

The vulnerability was first reported as CVE-2025-24054, the patch was first bypassed in our report on CVE-2025-50154, and bypassed again in our new report, CVE-2025-59214

How Did Microsoft Respond to the NTLM Leak? 

Microsoft decided in March 2025 to release the CVE-2025-24054 patch, preventing the use of a well-known technique: an NTLMv2-SSP hash disclosure using shortcut file creation in explorer.exe. 

We reported on April 2025 that the patch didn’t work for LNK files. Specifically, when the Target value is a UNC path and the Icon value is the default shell32.dll file, the NTLMv2-SSP hash still leaks. The vulnerability was assigned CVE-2025-50154, and we published a blog explaining the flaw. A proof of concept (POC) is available on GitHub.  

However, shortly after the update of Aug. 12, 2025, we were contacted by 0patch, who informed us that after running tests on fully updated systems, the vulnerability still exists. 

0patch is a trusted security platform that delivers micro patches - tiny, hot-applied fixes that close vulnerabilities instantly without needing system reboots or full software updates. 

We created a lab with a fully patched Windows Server 2022 machine (updated with KB5063880), and reproduced the vulnerability. 

A lab environment showing a fully patched Windows Server 2022 system (with update KB5063880) used to reproduce the tested vulnerability

On the first machine, we created the LNK file. We used impacket-smbclient from a kali machine to upload the LNK file to a share opened by a Domain Admin session. Right after the file upload, the Domain Admin’s NTLMv2-SSP hash was disclosed to our listening Responder server.  

After disclosing the vulnerability to Microsoft, it has been recognized and assigned CVE-2025-59214. The POC remains the same.  

But the question remains: How for the third time does the vulnerability still exist and why did the patch not work? 

We asked MSRC for more explanations and received the following answer: 

“”” 

  • The original fix for 0-click binary vulnerabilities had a gap - the security check code is allowed to execute only once, hence for icon path it worked properly but for target value it is ignored. 
  • Due to above limitation, the code took a different execution path for target value in UNC path. 
  • This alternative path checked for UNC path existence and inadvertently leaked NTLM authentication hashes. 

“”” 

It looks like the function responsible for checking whether a UNC path exists checks only the Icon value. But then what changed after CVE-2025-50154? 

It wasn’t clear for many reasons: 

  • What actually changed after the CVE-2025-50154 patch? (For example KB5063880)? 
  • Does Microsoft run tests to validate these security updates? If yes, how did the vulnerability still exist even after the patch? 
  • Can we rely blindly on patches when nothing changes, even after a bypass report (CVE-2025-50154)? 
  • We also observed that the zero-click binary download no longer occurs. Does it mean that in contrary to what MSRC said, the target value is not ignored? 

While we are still trying to understand it from MSRC, we understand that threat validation is essential to prevent missed fixes, and assuming that patches are always enough to prevent new zero-days is a mistake. 

Conclusion 

The discovery of a fresh bypass proves that even patched vulnerabilities can remain exploitable when security checks aren’t applied consistently. Despite fixes for CVE-2025-24054 and CVE-2025-50154, attackers can still trigger NTLM hash leaks and silently stage remote payloads in zero-click scenarios. 

This persistence of exposure highlights how minor oversights can reopen critical attack paths - turning credential theft and stealthy payload delivery into a single, powerful compromise chain. It underscores the need for rigorous patch validation, defense-in-depth, and continuous adversarial testing to ensure that "fixed" doesn’t mean "secure." 

Security teams can immediately test for exposure to this vulnerability using a Cymulate assessment. Experience how continuous validation strengthens threat resilience by requesting a Cymulate demo to see it in action.

image
Ruben Enkaoua
Ruben E. is a cybersecurity researcher at Cymulate with a background in Windows internals research. He combines hands-on offensive security experience with strategic insight to help organizations validate and strengthen their cyber defenses. Ruben is passionate about sharing practical knowledge to improve security resilience across industries.
More about Author
Table of Contents
Executive Summary  What is NTLM?  How Did Microsoft Respond to the NTLM Leak?  Conclusion 
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
image
blog

Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154) 

New Cymulate research exposes a zero-click NTLM flaw in Microsoft’s patched systems.

Read More
cymulate blog article
blog

Task Scheduler– New Vulnerabilities for schtasks.exe

Cymulate uncovers schtasks.exe flaws that allow privilege escalation and event-log overwriting.

Read More
image
blog

EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

Critical vulnerabilities in Anthropic’s MCP Server allow sandbox escapes, file tampering, and code execution.

Read More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo