Summary: A security vulnerability identified as CVE-2025-24071 enables NTLM hash leakage from Windows systems when extracting maliciously crafted .library-ms files from RAR/ZIP archives. This flaw, which has a CVSS score of 7.5, arises from Windows Explorer’s automatic handling of these files, leading to unintentional NTLM authentication handshakes with attacker-controlled SMB servers. The vulnerability has been observed in active exploitation, with a proof-of-concept available online and was recently patched by Microsoft.
Affected: Windows Explorer, Microsoft
Keypoints :
- Vulnerability CVE-2025-24071 allows NTLM hash leakage upon extracting specific .library-ms files.
- Windows Explorer’s automated processing of files initiates NTLM authentication without user consent.
- This flaw has been actively exploited, with proof-of-concept and Metasploit module available online.