CVE-2025-24071

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the March 2025 Patch Tuesday

Description A security flaw in Windows File Explorer allows an attacker to capture NTLM hashed credentials when a user opens a folder containing a specially crafted

.library-ms

file embedded within a RAR or ZIP archive. The vulnerability occurs because Windows Explorer automatically initiates an SMB authentication request when a

.library-ms

file is extracted from a compressed archive, leading to NTLM hash disclosure. The user does not need to open or execute the file; simply extracting it is sufficient to trigger the vulnerability. This issue has been actively exploited in the wild, with reports indicating it may have been offered for sale on underground forums. Attackers can leverage this flaw to perform network spoofing and potentially gain unauthorized access to systems. The vulnerability is triggered by the automatic processing of

.library-ms

files by Windows Explorer, which attempts to resolve SMB paths contained within these files. This process inadvertently transmits NTLM hashes to a controlled SMB server, enabling credential theft. The vulnerability has been observed in phishing campaigns targeting both government and private organizations.

Recommendations Apply the March 2025 Patch Tuesday security updates to mitigate this vulnerability.