A significant vulnerability in Microsoft Windows File Explorer, identified as CVE-2025-24071, has been discovered and is being actively exploited in the wild.
This vulnerability allows attackers to capture NTLM hashes, potentially leading to network spoofing attacks and credential theft.
The exploit involves specially crafted .library-ms files embedded within compressed archives like RAR or ZIP.
When these files are extracted, Windows Explorer automatically processes them, initiating an NTLM authentication handshake with an attacker-controlled SMB server without requiring user interaction.
Technical Explanation of NTLM Hash Leak
The .library-ms file format is XML-based and trusted by Windows Explorer to define search and library locations.
When a specially crafted .library-ms file containing an SMB path is extracted from a compressed archive, Windows Explorer attempts to resolve this path automatically to gather metadata and index file information.
This action triggers an implicit NTLM authentication handshake from the victim’s system to the attacker-controlled SMB server, leaking the victim’s NTLMv2 hash without explicit user interaction.
The vulnerability exploits Windows Explorer’s automatic file processing mechanism, which occurs even if the user never explicitly opens the extracted file.
Exploitation and Mitigation
The vulnerability is particularly dangerous because it does not require the user to open or execute the extracted file; simply extracting it from the archive is enough to trigger the NTLM hash leak.
This makes it a powerful tool for attackers seeking to compromise network security through pass-the-hash attacks or offline NTLM hash cracking.
A Proof of Concept (PoC) for CVE-2025-24071 has been released on GitHub, demonstrating how attackers can exploit this vulnerability using a Python script.
Microsoft addressed this vulnerability in its March 2025 Patch Tuesday update, and users are advised to ensure their Windows systems are updated with the latest security patches to prevent exploitation.
Additionally, security experts recommend implementing additional protections against NTLM relay attacks, such as enabling SMB signing and disabling NTLM where possible.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
