Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
26 views5 pages

Microsoft Windows File Explorer Vulnerability

A critical vulnerability in Microsoft Windows File Explorer (CVE-2025-24071) allows attackers to steal NTLM hashed passwords by exploiting the automatic processing of specially crafted .library-ms files during extraction. This flaw can lead to credential theft and potential spoofing attacks, prompting Microsoft to release a patch in March 2025. Organizations are urged to update their systems and implement security measures to prevent exploitation.

Uploaded by

nigeyis893
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views5 pages

Microsoft Windows File Explorer Vulnerability

A critical vulnerability in Microsoft Windows File Explorer (CVE-2025-24071) allows attackers to steal NTLM hashed passwords by exploiting the automatic processing of specially crafted .library-ms files during extraction. This flaw can lead to credential theft and potential spoofing attacks, prompting Microsoft to release a patch in March 2025. Organizations are urged to update their systems and implement security measures to prevent exploitation.

Uploaded by

nigeyis893
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Microsoft Windows File Explorer Vulnerability Let Attackers Perform

Network Spoofing

Document Control

Microsoft Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing

Document No:
Revision Status:
Effective Date:
Last Review Date:
Approved by
Preparer Name:
Signature
Date:

Document Revision History

Publication Date Author Revision No Change Description

Initial Document
19-03-2025 Guru Baran -
Creation

Table of Contents

1. Introduction
2. Incident Overview
3. Attack Methodology
4. Indicators of Compromise (IoCs)
5. Recommendations
6. Conclusion
7. References
Introduction

A critical vulnerability in Windows File Explorer, identified as CVE-2025-24071, enables


attackers to steal NTLM hashed passwords without any user interaction beyond extracting a
compressed file. Security researchers have released a proof-of-concept (PoC) exploit
demonstrating this high-severity flaw, which Microsoft patched in its March 2025 updates.

Incident Overview

The vulnerability, dubbed “NTLM Hash Leak via RAR/ZIP Extraction,” exploits Windows
Explorer’s automatic file processing mechanism. When a specially crafted .library-ms file
containing a malicious SMB path is extracted from a compressed archive, Windows Explorer
automatically parses its contents to generate previews and index metadata.

This automatic processing occurs even if the user never explicitly opens the extracted file.
The .library-ms file format is XML-based and trusted by Windows Explorer to define library
locations, making it a prime target for exploitation.

Upon extraction, Windows Explorer attempts to resolve the embedded SMB path (e.g.,
\\192.168.1.116\shared) automatically to gather metadata. This action triggers an NTLM
authentication handshake, leaking the victim’s NTLMv2 hash to an attacker-controlled SMB
server without any user interaction.

Attack Methodology

Using process monitoring tools, researchers observed that immediately after extraction, both
Explorer.exe and SearchProtocolHost.exe (part of Windows’ indexing service) automatically
perform several operations on the .library-ms file:

• CreateFile: Opening the file automatically


• ReadFile: Reading the file contents
• QueryBasicInformationFile: Extracting metadata
• CloseFile: Closing the file after processing
Wireshark captures confirm that these actions immediately trigger SMB communication attempts,
including an NTLM authentication handshake, leading to potential credential theft.

Risk Factors Details


Microsoft Windows (specifically Windows
Affected Products
File Explorer)
-Leaks victim’s NTLMv2-Credential theft
for pass-the-hash attacks-Potential offline
Impact
NTLM hash cracking-Creates spoofing
vulnerability
-User must extract a specially
crafted .library-ms file-Attacker needs to set
Exploit Prerequisites
up an SMB server to receive authentication
request
CVSS 3.1 Score 7.5 (Important )
Indicators of Compromise (IoCs)

• Suspicious SMB Connections:


o Unusual outbound SMB traffic to unknown external IPs.
o Connections to internal SMB shares that contain .library-ms files.
• Process Execution Logs:
o Unexpected activity from Explorer.exe and SearchProtocolHost.exe
accessing .library-ms files.
• Network Traffic Analysis:
o NTLM authentication attempts directed at attacker-controlled SMB shares.
o Large amounts of failed SMB authentication logs.
• Presence of Suspicious Files:
o Compressed archives (.zip, .rar) containing .library-ms files.
o Unexpected .library-ms files appearing in user directories.

Recommendations

• Microsoft addressed this vulnerability in its March 11, 2025, Patch Tuesday updates.
Ensure all Windows devices are updated immediately.
• Restrict outbound SMB traffic to prevent NTLM authentication leaks.
• Implement firewall rules to block communication to external SMB servers.
• Configure Group Policy to restrict NTLM authentication.
• Transition to Kerberos or other secure authentication methods.
• Use SIEM solutions to detect anomalous SMB traffic.
• Enable logging for NTLM authentication events.

Conclusion

CVE-2025-24071 is a severe vulnerability that allows attackers to steal NTLM credentials through
Windows File Explorer’s automatic file processing mechanism.

By exploiting .library-ms files with embedded SMB paths, threat actors can trick Windows
into automatically sending NTLMv2 hashes to attacker-controlled servers. Microsoft has patched
this issue, but organizations must act quickly to apply security updates and implement preventative
measures such as blocking untrusted SMB connections and monitoring for suspicious network
activity.
Notably, a threat actor known as “Krypt0n” allegedly exploited this vulnerability in the wild before
its public disclosure. “Krypt0n,” reportedly the developer of the malware “EncryptHub Stealer,”
allegedly offered the exploit for sale on underground forums.

References

1. Vulnerability Archives - Cyber Security News


2. Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing - PoC
Released

You might also like