A critical vulnerability in Windows File Explorer has been discovered, allowing attackers to capture NTLM hashes and potentially exploit them for network spoofing attacks.
The vulnerability, identified as CVE-2025-24071, involves the automatic processing of specially crafted .library-ms files within compressed archives like RAR or ZIP.
When these files, containing paths to attacker-controlled SMB servers, are extracted, Windows Explorer initiates an implicit NTLM authentication handshake, leaking sensitive credentials without requiring user interaction, as per a report by CTI monster.
CVE-2025-24071: Overview of the Vulnerability
CVE-2025-24071 is a significant issue in Windows File Explorer that exploits the automatic processing of .library-ms files.
These XML-based files define search and library locations and are trusted by Windows Explorer.
When a .library-ms file containing an SMB path is extracted from a compressed archive, Windows Explorer attempts to resolve this path automatically to gather metadata and index file information.
This process triggers an NTLM authentication handshake with the attacker-controlled SMB server, leaking the victim’s NTLMv2 hash without any explicit user interaction.
The vulnerability is particularly dangerous because it does not require the user to open or execute the extracted file; simply extracting it from the archive is enough to trigger the NTLM hash leak.
This makes it a powerful tool for attackers seeking to compromise network security through pass-the-hash attacks or offline NTLM hash cracking.
Technical Explanation
- Automatic File Processing: Upon extraction from a compressed archive, Windows Explorer and the SearchProtocolHost.exe service automatically process the .library-ms file. This involves opening the file, reading its contents to extract metadata, and querying file information. These operations occur without any explicit user interaction and can be observed using tools like Procmon.
- SMB Communication: The extraction process triggers SMB communication attempts. Using Wireshark with an SMB filter, researchers can capture the SMB2 Negotiate Protocol Request and the SMB2 Session Setup Request, which clearly show the initiation of an NTLM authentication handshake between the victim’s system and the attacker-controlled SMB server.
Proof of Concept (PoC)
A Proof of Concept (PoC) for CVE-2025-24071 has been released on GitHub.
It demonstrates how attackers can exploit this vulnerability to capture NTLM hashes by creating a specially crafted .library-ms file and embedding it within a RAR or ZIP archive.
The PoC can be executed using Python, requiring minimal input such as the target file name and the attacker’s IP address.
python poc.py
# Enter file name: your_file_name
# Enter IP: attacker_IPCVE-2025-24071 is reportedly being exploited in the wild. According to information from forums like xss.is, threat actors are utilizing this vulnerability for credential theft.
The threat actor known as “Krypt0n” is linked to its exploitation and has developed malware known as “EncryptHub Stealer.”
The vulnerability’s potential for exploitation is underscored by its offer for sale on dark web forums, further emphasizing the urgency of patching affected systems.
Mitigation and Patch
Microsoft addressed CVE-2025-24071 in its March Patch Tuesday update. Users are advised to ensure their Windows systems are updated with the latest security patches to prevent exploitation.
As the vulnerability is actively being exploited, immediate action is crucial to protect against potential network spoofing attacks.
The discovery and exploitation of CVE-2025-24071 highlight the ongoing challenges in securing Windows systems against sophisticated threats.
By understanding how vulnerabilities like this one are exploited and taking proactive steps to patch and protect systems, users can significantly reduce the risk of falling victim to such attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
