CVE-2025-24071

Name of the Vulnerable Software and Affected Versions Microsoft Windows File Explorer (affected versions not specified)

Description A security flaw in Windows File Explorer allows attackers to capture NTLM hashed credentials when a user opens a folder containing a specially crafted .library-ms file embedded within a RAR or ZIP archive. The vulnerability is triggered automatically upon extraction of the archive; no user interaction beyond extraction is required. This allows attackers to perform network spoofing and potentially gain unauthorized access to systems. The vulnerability has been actively exploited in the wild, and a proof-of-concept (PoC) is publicly available. The issue stems from Windows Explorer automatically initiating an SMB authentication request when processing the .library-ms file, leading to the disclosure of NTLM hashes. Attackers have been observed using this vulnerability in phishing campaigns, and it has been reported that the vulnerability was offered for sale on underground forums. The vulnerability is related to the processing of UNC paths within the .library-ms file. Some reports indicate the vulnerability has been exploited through malicious documents containing links to SMB resources.

Recommendations Apply the latest security updates released by Microsoft for Windows File Explorer.