LnkMeMaybe - A Review of CVE-2026-25185

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/lnkmemaybe-a-review-of-cve-2026-25185
• Blog Title: LnkMeMaybe - A Review of CVE-2026-25185
• Suggested Section: Windows Hardening -> (new) Windows Shortcut (.LNK) Attacks / No-click .LNK NTLM leak (CVE-2026-25185) OR Pentesting Web is not applicable; better placed near Windows credential theft / NTLM sections

🎯 Content Summary

Post focus
TrustedSec documents Windows Shortcut (.lnk) internals (per MS-SHLLINK) learned while writing a cross-platform C#/.NET 8 shortcut library and tooling, and uses that reverse engineering to explain and validate CVE-2026-25185: a crafted .lnk can trigger outbound Windows authentication (credential leak/NTLM relay primitive) when a folder is merely viewed/previewed (no double-click required).

How Windows shortcuts work ...

🔧 Technical Details

When analyzing “no-click” shortcut attack surface, focus on what Windows does when it loads a .lnk to render metadata (e.g., icons) during directory listing/preview/indexing/AV scanning. Use Sysinternals Procmon to filter on a specific shortcut filename (e.g., viewme.lnk), trigger folder view over a share, then pivot from the captured stack trace into disassembly to identify parsing routines (example: CShellLink::_LoadFromStream in windows.storage.dll) and their cross-references to understand all entry points that can process a shortcut without execution.

A credential-leak primitive can be created by abusing icon-resolution logic: craft a valid shortcut whose ExtraData contains DARWIN_PROPS (signature 0xa0000006) and ICON_ENVIRONMENT_PROPS (signature 0xa0000007) such that the parser reads TargetUnicode (at an observed offset of 268 bytes into the icon block),...

🤖 Agent Actions

Summary:

• Added a new subsection documenting the CVE‑2026‑25185 no‑click .lnk NTLM leak via ExtraData icon resolution, plus tooling mention and references.

Files updated:

• src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md

Tests:

• Not run (docs-only change).

If you want, I can also add a short detection/IR note for this no-click .lnk path in the same file.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/lnkmemaybe-a-review-of-cve-2026-25185

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> (new) Windows Shortcut (.LNK) Attacks / No-click .LNK NTLM leak (CVE-2026-25185) OR Pentesting Web is not applicable; better placed near Windows credential theft / NTLM sections".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0