A critical vulnerability in Windows File Explorer has been discovered that allows attackers to steal NTLM authentication hashes without any user interaction beyond extracting a ZIP archive.
Security researcher Mohammed Idrees Banyamer has published a proof-of-concept exploit for CVE-2025-24071, demonstrating how malicious .library-ms files can automatically trigger SMB authentication requests when extracted from ZIP archives.
The vulnerability affects all Windows 10 and 11 systems that support .library-ms files and SMB protocols, with testing confirmed on Windows 11 version 23H2.
The vulnerability exploits Windows Explorer’s automatic handling of .library-ms library descriptor files when they are extracted from ZIP archives.
When a victim extracts a ZIP file containing a specially crafted .library-ms file, Windows Explorer automatically initiates an SMB authentication request to a remote server specified within the file.
This behavior occurs without any additional user interaction, making it particularly dangerous for social engineering attacks.
The malicious .library-ms file contains XML markup that defines a library location pointing to an attacker-controlled SMB server.
The file structure includes a searchConnectorDescription element with a simpleLocation that specifies the UNC path to the attacker’s server.
When Windows processes this file during extraction, it automatically attempts to authenticate with the specified SMB share using the current user’s NTLM credentials.
This design flaw in Windows Explorer’s library file processing creates an avenue for credential harvesting that bypasses traditional security awareness training since users expect to safely extract ZIP files.
The attack vector is particularly concerning because it leverages legitimate Windows functionality. Library files (.library-ms) are a standard Windows feature designed to create virtual folders that aggregate content from multiple locations.
However, the automatic processing of these files during ZIP extraction creates an unintended security risk that attackers can exploit to capture authentication credentials remotely.
File Explorer Vulnerability
Banyamer’s published proof-of-concept demonstrates the vulnerability’s practical exploitation through a Python-based tool that automates the creation of malicious ZIP archives.
The exploit tool generates a properly formatted .library-ms file containing XML that references an attacker’s SMB server, then packages it into a ZIP archive for distribution.
The tool requires minimal technical expertise to operate, accepting command-line parameters for the attacker’s IP address, payload filename, and output directory.
The exploit’s simplicity increases its potential for widespread abuse. Attackers only need to specify their SMB server’s IP address, and the tool generates a weaponized ZIP file ready for distribution via email, file sharing platforms, or other delivery mechanisms.
The tool includes validation for IP addresses and provides options for customizing filenames and preserving intermediate files for analysis.
Once victims extract the ZIP file, their systems automatically leak NTLM hashes to the attacker’s server, where they can be captured for offline cracking or relay attacks.
Security Implications
According to this Report, this vulnerability represents a significant threat to enterprise environments where NTLM authentication remains prevalent.
Captured NTLM hashes can be subjected to offline brute-force attacks or used in pass-the-hash attacks to gain unauthorized access to additional systems.
Organizations should implement network-level protections to block outbound SMB traffic and deploy endpoint security solutions capable of detecting suspicious .library-ms file processing.
Additionally, security teams should educate users about the risks of extracting ZIP files from untrusted sources, even though this particular attack requires no user interaction beyond normal file extraction procedures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
