A critical vulnerability in Windows File Explorer, identified as CVE-2025-24071, enables attackers to steal NTLM hashed passwords without any user interaction beyond simply extracting a compressed file.
Security researchers have released a proof-of-concept exploit demonstrating this high-severity flaw, which Microsoft patched in its March 2025 updates.
Microsoft Windows File Explorer Vulnerability
The vulnerability, dubbed “NTLM Hash Leak via RAR/ZIP Extraction,” exploits Windows Explorer’s automatic file processing mechanism.
When a specially crafted .library-ms file containing a malicious SMB path is extracted from a compressed archive, Windows Explorer automatically parses its contents to generate previews and index metadata.
This automatic processing occurs even if the user never explicitly opens the extracted file.
The .library-ms file format, which is XML-based and trusted by Windows Explorer to define library locations, includes a
Upon extraction, Windows Explorer attempts to resolve the embedded SMB path (e.g., \192.168.1.116shared) automatically to gather metadata.
This action triggers an NTLM authentication handshake from the victim’s system to the attacker’s server, leaking the victim’s NTLMv2 hash without any user interaction.
Using process monitoring tools, researchers observed that immediately after extraction, both Explorer.exe and SearchProtocolHost.exe (part of Windows’ indexing service) automatically perform several operations on the .library-ms file:
- CreateFile: Opening the file automatically
- ReadFile: Reading the file contents
- QueryBasicInformationFile: Extracting metadata
- CloseFile: Closing the file after processing
Wireshark captures confirm that these actions immediately trigger SMB communication attempts, including an NTLM authentication handshake.
| Risk Factors | Details |
| Affected Products | Microsoft Windows (specifically Windows File Explorer) |
| Impact | -Leaks victim’s NTLMv2-Credential theft for pass-the-hash attacks-Potential offline NTLM hash cracking-Creates spoofing vulnerability |
| Exploit Prerequisites | -User must extract a specially crafted .library-ms file-Attacker needs to set up an SMB server to receive authentication request |
| CVSS 3.1 Score | 7.5 (Important ) |
PoC Exploitation
The vulnerability allows for exposure of sensitive information to unauthorized actors, enabling network spoofing attacks.
A security researcher with the handle 0x6rss published a proof-of-concept exploit on GitHub on March 16, 2025. The PoC includes a Python script that generates the malicious .library-ms file and can be used with a simple command: python poc.py
Evidence suggests this vulnerability may have been sold and exploited in the wild before its public disclosure.
A threat actor known as “Krypt0n,” reportedly the developer of malware called “EncryptHub Stealer,” allegedly offered the exploit for sale on underground forums.
According to translated forum posts, the attacker explained: “The server where the hashes are sent is created locally, for example, on a VPS.
Then, using an exploit, you generate a config with your IP, share, etc. […] If the user simply opens Explorer or accesses the shared folder, an automatic redirect occurs, and the user’s hash is sent to your server.”
Mitigation
Microsoft addressed this vulnerability with the release of its March 2025 Patch Tuesday updates on March 11.
All Windows users are strongly advised to apply these security updates immediately. This vulnerability adds to a growing list of NTLM-related flaws in Microsoft products, with researchers previously identifying similar credential-leaking issues in Microsoft Access, Publisher, and other applications.
Security experts recommend keeping all Microsoft products updated and implementing additional protections against NTLM relay attacks, such as enabling SMB signing and disabling NTLM where possible.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
