Skip to main content

Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure

Medium
Published: Thu May 29 2025 (05/29/2025, 00:00:00 UTC)
Source: Exploit-DB RSS Feed

Description

Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure

AI-Powered Analysis

AILast updated: 06/11/2025, 21:16:16 UTC

Technical Analysis

This security threat, identified as CVE-2025-24071, involves an information disclosure vulnerability in Windows File Explorer on Windows 11 version 23H2 and Windows 10 systems supporting .library-ms files and SMB protocol. The vulnerability arises because Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a ZIP archive. This automatic behavior causes the system to send NTLM authentication hashes to the remote SMB server specified in the .library-ms file without requiring additional user interaction beyond extracting the ZIP archive. The attacker can craft a malicious .library-ms file that points to an SMB share under their control. When the victim extracts the ZIP archive containing this file, Windows Explorer attempts to connect to the attacker's SMB server, leaking the victim's NTLM hashed credentials. These hashes can then be captured and potentially cracked offline to gain unauthorized access to the victim's network resources. The exploit code, written in Python 3, automates the creation of the malicious .library-ms file and packages it into a ZIP archive for delivery. The exploit requires no user interaction beyond extracting the ZIP file, making it a stealthy and effective vector for credential theft. The vulnerability affects all Windows 10 and 11 versions that support .library-ms and SMB, with confirmed testing on Windows 11 23H2. No patch or mitigation from Microsoft is currently linked, and no known exploits are reported in the wild yet. The attack is remote in nature and leverages Windows Explorer's default behavior, which is difficult to disable without impacting usability.

Potential Impact

For European organizations, this vulnerability poses a significant risk to credential confidentiality and network security. NTLM hashes leaked to an attacker-controlled SMB server can be used to perform pass-the-hash attacks, lateral movement, and privilege escalation within corporate networks. Given the widespread use of Windows 10 and 11 in European enterprises, especially in sectors like finance, government, and critical infrastructure, the potential for unauthorized access and data breaches is high. The stealthy nature of the attack—requiring only ZIP extraction—means that phishing campaigns or malicious file deliveries could easily exploit this vulnerability. The impact extends beyond individual endpoints to the broader network, as compromised credentials can facilitate further exploitation and data exfiltration. Additionally, the lack of user interaction requirement increases the risk of automated or mass exploitation campaigns. This could lead to significant operational disruption, loss of sensitive data, and reputational damage for affected organizations.

Mitigation Recommendations

Specific mitigation steps include: 1) Educate users and administrators to be cautious when extracting ZIP files from untrusted or unknown sources, especially those containing .library-ms files. 2) Implement network-level SMB traffic monitoring and filtering to detect and block unauthorized outbound SMB connections, particularly to external IP addresses. 3) Use endpoint detection and response (EDR) tools to monitor for unusual SMB authentication attempts originating from Windows Explorer processes. 4) Disable or restrict the use of .library-ms files via Group Policy or software restriction policies where feasible, to prevent automatic SMB requests triggered by these files. 5) Enforce the use of SMB signing and NTLMv2 authentication to reduce the risk of hash capture and replay attacks. 6) Apply network segmentation to limit SMB traffic exposure and isolate critical systems. 7) Regularly audit and enforce strong password policies and consider deploying multi-factor authentication (MFA) to reduce the impact of compromised NTLM hashes. 8) Monitor security advisories from Microsoft for patches addressing this vulnerability and apply them promptly once available. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and Windows Explorer behavior.

Need more detailed analysis?Get Pro

Technical Details

Edb Id
52310
Has Exploit Code
true
Code Language
python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure

#!/usr/bin/env python3
# Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
# Exploit Author: Mohammed Idrees Banyamer
# Twitter/GitHub:https://github.com/mbanyamer 
# Date: 2025-05-27
# CVE: CVE-2025-24071
# Vendor: Microsoft
# Affected Versions: Windows 10/11 (All supporting .library-ms and SMB)
# Tested on: Windows 11 (23H2)
# Type: Local / Remote (NTLM Leak)
# Platform: Windows
# Vulnerability Type: Information Disclosure
# Description:
#   Windows Explorer automat
... (3025 more characters)
Code Length: 3,525 characters

Threat ID: 68489d7e7e6d765d51d525a5

Added to database: 6/10/2025, 9:02:54 PM

Last enriched: 6/11/2025, 9:16:16 PM

Last updated: 8/18/2025, 9:49:55 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats