A critical vulnerability in Windows File Explorer has been discovered, enabling attackers to capture NTLM hashes and potentially exploit them for network spoofing attacks.
Security researchers have published a proof of concept demonstrating this high-severity flaw, which Microsoft patched in its March 2025 updates.
Overview of Vulnerability CVE-2025-24071
CVE-2025-24071 is a significant issue in Windows File Explorer that exploits the automatic processing of .library-ms files.
These XML files define search and library locations and are trusted by Windows Explorer.
When a .library-ms file containing an SMB path is extracted from a compressed archive, Windows Explorer automatically attempts to resolve this path to collect metadata and index file information.
This process triggers an NTLM authentication negotiation with an attacker-controlled SMB server, leaking the victim’s NTLMv2 hash without explicit user interaction.
The vulnerability is particularly dangerous because simply extracting the file is enough to trigger the NTLM hash leak.
Proof of Concept (PoC)
A proof of concept (PoC) for CVE-2025-24071 has been published on GitHub.
It demonstrates how attackers can exploit this vulnerability to capture NTLM hashes by creating a specially crafted .library-ms file and embedding it in a RAR or ZIP archive.
The PoC can be executed using Python, requiring minimal input such as the target file name and the attacker’s IP address.
python poc.py # Enter file name: your_file_name # Enter IP: attacker_IP
Mitigation and Patch
Microsoft has addressed this vulnerability with the release of its Patch Tuesday updates on March 11, 2025. Users are strongly advised to ensure their Windows systems are updated with the latest security patches to prevent exploitation. Since the vulnerability is actively being exploited, immediate action is crucial to protect against potential network identity spoofing attacks.
Security experts recommend keeping all Microsoft products up to date and implementing additional protections against NTLM relay attacks, such as enabling SMB signing and disabling NTLM where possible.
