Windows Explorer - NTLM Hash Disclosure via .library-ms in ZIP Archive

2025.06.04
Credit: Mohammed Idrees Banyamer
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2025-24071
CWE: N/A

#!/usr/bin/env python3 # Exploit Title: Windows Explorer - NTLM Hash Disclosure via .library-ms in ZIP Archive # Exploit Author: Mohammed Idrees Banyamer # Twitter/GitHub: @mbanyamer # Date: 2025-05-27 # CVE: CVE-2025-24071 # Vendor: Microsoft # Affected Versions: Windows 10/11 (All supporting .library-ms and SMB) # Tested on: Windows 11 (23H2) # Type: Local / Remote (NTLM Leak) # Platform: Windows # Vulnerability Type: Information Disclosure # Description: # Windows Explorer automatically initiates an SMB authentication request when a # .library-ms file is extracted from a ZIP archive. This causes NTLM credentials # (in hashed format) to be leaked to a remote SMB server controlled by the attacker. # No user interaction is required beyond extraction. # Country : Jordan Description: CVE-2025-24071 is a vulnerability that allows attackers to capture a victim’s NTLMv2 hash automatically upon extracting a specially crafted RAR or ZIP archive containing a .library-ms file. This file references an attacker-controlled SMB path within its <simpleLocation> tag. Once the archive is extracted, Windows Explorer and the Windows Search Indexing service (SearchProtocolHost.exe) automatically parse the .library-ms file to generate metadata, icons, or previews. This parsing process initiates an unsolicited SMB connection to the attacker's server, resulting in the NTLMv2 hash of the victim being sent without any user interaction Impact: NTLMv2 hash disclosure Enables pass-the-hash attacks Facilitates lateral movement within internal networks Exploitation Steps: Create a .library-ms file pointing to a remote SMB share. Compress it into a RAR or ZIP archive. Deliver the archive to the target. Upon extraction, the victim’s system initiates an SMB request to the attacker, leaking the NTLM hash. Requirements: Windows system with Explorer and Indexing Services enabled Outbound SMB traffic not restricted Mitigation: Block outbound SMB (ports 445 and 139) Disable Windows Search Indexing if unnecessary Avoid extracting archives from untrusted sources


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top