Unpatched Windows LNK Vulnerability Allows Attacker to Capture NTLM Hash

Security researcher Nafiez has publicly disclosed an unpatched vulnerability affecting Windows LNK files (shortcuts)—an issue that can be used to capture NTLM Hash over UNC paths without the user explicitly launching a file. Despite a working proof-of-concept (PoC), Microsoft has declined to patch the flaw, citing their Mark of the Web (MOTW) as sufficient protection.

“Microsoft’s justification centers on their Mark of the Web (MOTW) protection mechanism… stating it does not meet their security bar for servicing,” Nafiez explains.

Nafiez demonstrates that attackers can craft malicious LNK files that appear benign but are capable of initiating network connections and command execution using EnvironmentVariableDataBlock manipulation.

The vulnerability stems from how LNK files process internal flags and data structures. Specifically:

• The HasArguments flag and EnvironmentVariableDataBlock allow injection of a UNC path (e.g., \\192.168.44.128\c) as a target.
• By setting the BlockSize to 0x00000314 and the signature to 0xA0000001, the attacker can control how the LNK file behaves upon parsing.
• The crafted UNC path is processed by Explorer when a folder containing the malicious LNK file is opened—even before the file is manually executed.

“When user access[es] a folder that has the LNK file, the Explorer will parse any files stored in the folder… this is where the initialization of the file gets ready [to be] called/executed,” Nafiez writes.

Windows Explorer uses a chain of COM interfaces such as IInitializeNetworkFolder and IShellFolder2 to process and display file metadata—parsing begins as soon as a folder is accessed.

“This interface chain… reveals how Windows builds a layered abstraction to handle network resources, with each layer adding specialized functionality,” Nafiez explains.

By embedding the UNC path inside the LNK file’s TargetUnicode buffer, attackers can trigger network activity silently. This is especially dangerous in environments where Responder or similar tools are used to capture NTLM hashes from such forced connections.

Microsoft argues that the Mark of the Web (MOTW)—a metadata tag applied to files downloaded from untrusted sources—would prevent such attacks from executing. However, Nafiez counters that: “This situation highlights an important consideration… about reliance on secondary protection mechanisms versus directly addressing underlying vulnerabilities.”

Nafiez has provided a detailed proof of concept (PoC) that programmatically builds a malicious .lnk file using Windows API calls. Once created, the file can be used in combination with a tool like Responder to extract NTLM authentication hashes, making it suitable for red teaming, penetration testing, or even real-world exploitation in poorly secured networks.

A quick writeup on potential security issue of Windows LNK that I reported to MSRC last month. They decided to not fix due to relying on MOTW. In the blog I included the proof of concept. All you have to do is to Right-Click and get Info Disclosure 🙂https://t.co/j2N7AQlO7Z pic.twitter.com/pcbEukAxh8

— nafiez (@zeifan) April 28, 2025

“Once you compile the code, run the executable to generate LNK file and make sure to run Responder tool to capture NTLM Hash,” the write-up concludes.

Related Posts:

• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
• Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
• Unpatched Vulnerabilities: Ransomware’s Favorite Entry Point
• Microsoft’s Patch for Symlink Exploit Introduces New Windows Update DoS Flaw