Rintaro Koike

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to March 11, 2025 **Description** External control of file names or paths in the Windows NTLM (NT LAN Manager) protocol allows an unauthorized attacker to perform spoofing over a network. This issue, specifically affecting the File Explorer component, can lead to the disclosure of NTLM hashes. Attackers can exploit this by convincing a user to unpack a malicious archive or open malicious `.library-ms` files, which triggers Windows Explorer to automatically initiate an SMB authentication request to an attacker-controlled SMB server. Real-world incidents have been recorded, including global phishing campaigns and targeted attacks against government entities in Poland and Romania, potentially linked to APT28. **Recommendations** Update to the security patch released on March 11, 2025. Restrict the use of NTLM. Avoid opening or unpacking unknown files from untrusted sources.