Critical Windows File Explorer Vulnerability Exposes Network Authentication Credentials

A concerning security vulnerability has been identified in Windows File Explorer, potentially allowing malicious actors to hijack network authentication credentials. Security researcher 0x6rss, a known expert in malware and cyber threat intelligence (CTI), publicly disclosed a Proof-of-Concept (PoC) exploit on March 18, 2025, for this flaw, tracked as CVE-2025-24071. The vulnerability lies in how File Explorer handles specific archive files, and its exploitation could lead to the leakage of a user’s NTLM (New Technology LAN Manager) hash.

Understanding the NTLM Hash Disclosure Risk

The NTLM protocol is a fundamental network authentication protocol utilized by Windows systems to verify user identities. The exposure of an NTLM hash is a serious security risk, as it can be leveraged by attackers to gain unauthorized access to network resources through a technique known as a “pass-the-hash” attack. The release of a working PoC exploit significantly elevates the immediate threat level, as it provides attackers with a readily available method to potentially exploit this weakness.

How the Vulnerability Works: The Malicious Archive Threat

The vulnerability, CVE-2025-24071, carries a significant risk of confidential information leakage. The attack vector involves a specially crafted “.library-ms” file embedded within a seemingly innocuous archive, such as a RAR or ZIP file. When a user attempts to extract the contents of this malicious archive using Windows File Explorer, the “.library-ms” file is automatically processed by the system. This processing inadvertently triggers the sending of NTLM authentication information to an external, attacker-controlled server.

CVSS Score Indicates High Severity

Microsoft has assigned this vulnerability a Common Vulnerability Scoring System (CVSS) v3.1 score of 7.5, classifying its severity as “Important” or “High.” This rating underscores the potential impact of a successful exploit, emphasizing the urgency for users and administrators to take immediate action.

The Pass-the-Hash Attack Scenario

To successfully obtain NTLM hashes via the Server Message Block (SMB) protocol, attackers would typically embed the crafted “.library-ms” file within an archive. Once a victim unknowingly extracts this archive, Windows automatically initiates an authentication request to a remote server specified within the malicious file. The attacker, controlling this remote server, can then capture the NTLMv2 hash. This captured hash can then be used to perform a pass-the-hash attack, allowing the attacker to impersonate the compromised user and gain access to other network resources without needing the actual password.

Publicly Available PoC Amplifies the Danger

The publication of the PoC exploit by 0x6rss on the popular developer platform GitHub is a significant development. This makes the exploit readily accessible to anyone, including malicious actors, thereby increasing the likelihood of real-world exploitation. Reproducing the vulnerability is now a relatively straightforward process, requiring minimal technical expertise beyond understanding the provided code.

Real-World Exploitation Already Suspected

Disturbingly, there are indications that this vulnerability might already be under active exploitation in the wild. Reports suggest that a similar attack vector was being offered for sale by a threat actor known as “Krypt0n” on the cybercrime forum xss. This suggests that attackers were aware of and potentially leveraging this type of vulnerability even before the public disclosure of CVE-2025-24071. The ability to harvest victims’ credentials through this method provides a valuable initial foothold for launching further unauthorized access attempts or more sophisticated secondary attacks within a compromised network.

Immediate Mitigation: Apply the March 2025 Security Update

The good news is that a fix for CVE-2025-24071 has already been included in Microsoft’s cumulative update for March 2025. Therefore, users and system administrators who operate affected Windows systems are strongly advised to apply the latest security updates as soon as possible. This update contains the necessary patches to address the vulnerability and prevent its exploitation.

Steps to Take for Protection:

• Immediately install the latest Windows security updates. This is the most critical step in mitigating the risk posed by CVE-2025-24071. Ensure all affected systems are updated promptly.
• Exercise caution when opening archive files from untrusted sources. Even with the patch applied, it’s a good security practice to be wary of unexpected or suspicious archive files.
• Educate users about the potential threat. Ensure that users understand the risks associated with extracting files from unknown sources and the importance of keeping their systems updated.
• Consider alternative file extraction tools. While the vulnerability resides in Windows File Explorer, using reputable third-party archiving tools might offer an additional layer of security, although applying the official patch remains the primary and most effective solution.

Conclusion: Prioritize Patching to Prevent Network Hijacking

The discovery and public disclosure of the CVE-2025-24071 vulnerability in Windows File Explorer present a significant security risk. The potential for NTLM hash disclosure and subsequent network authentication hijacking is a serious threat that demands immediate attention. With a PoC exploit now readily available and potential in-the-wild exploitation already suspected, applying the March 2025 cumulative update from Microsoft is paramount. Users and administrators must prioritize patching their systems to safeguard against this critical flaw and protect their network credentials from malicious actors. Staying informed about emerging security threats and proactively applying security updates are essential components of maintaining a secure computing environment.