CVE-2025-24071

Name of the Vulnerable Software and Affected Versions Microsoft Windows File Explorer (affected versions not specified)

Description A security issue exists in Windows File Explorer that allows an attacker to steal NTLM hashed credentials when a user extracts a specially crafted archive (RAR or ZIP) containing a malicious

.library-ms

file. The vulnerability is triggered automatically upon extraction, without requiring the user to open or execute the file. This can lead to network spoofing and potential compromise of user accounts. The vulnerability has been actively exploited in the wild and a proof-of-concept (PoC) is publicly available. Attackers can leverage this flaw to initiate SMB authentication requests, leading to the disclosure of NTLM hashes. The issue stems from the automatic processing of

.library-ms

files by Windows Explorer, which attempts to resolve SMB paths embedded within them. This behavior can be exploited even if the file is not explicitly opened. Some reports indicate the vulnerability was offered for sale in underground forums prior to the release of a patch. The vulnerability has been observed in attacks targeting organizations in Russia and Belarus, often disguised as PDF documents.

Recommendations Apply the latest security updates released by Microsoft in the March 2025 Patch Tuesday to address this vulnerability.