- Red plus Blue makes Purple!/
- Active Vulnerability List/
- 2025/
- CVE-2025-24071 | Windows File Explorer | spoofing/
CVE-2025-24071 | Windows File Explorer | spoofing
| Vulnerability | CVE-2025-24071 |
|---|---|
| Type | Spoofing Vulnerability in Windows File Explorer |
| Description | CVE-2025-24071 is a spoofing vulnerability in Windows File Explorer that allows attackers to capture NTLM hashes via malicious .library-ms files. This vulnerability leverages Windows Explorer’s automatic processing of .library-ms files that reference external SMB shares. When a crafted .library-ms file is opened (or even extracted from an archive), Windows initiates an SMB authentication attempt to the attacker-controlled server, exposing the user’s NTLM hash. This attack requires no further user interaction beyond extracting/opening the file. |
| The Impact of the Bug | The primary impact of CVE-2025-24071 is the potential exposure of NTLM hashes, which can lead to credential theft and subsequent lateral movement or privilege escalation within a network. The vulnerability exists because Windows Explorer automatically parses .library-ms files, triggering an outbound SMB request to the attacker’s server. Successful exploitation allows an attacker to harvest NTLM hashes, which can be cracked offline or relayed in NTLM relay attacks. This issue affects various Windows versions, including Windows 10, Windows 11, and Windows Server (2012 R2 to 2025). |
| How to detect if you have a vulnerable application to this attack vector? | 1. Identify Windows Version: - Verify the Windows version you are running (affected versions include Windows 10/11 and Windows Server 2012 R2–2025). 2. Check for Patch Installation: - Use the Microsoft Security Update Guide for CVE-2025-24071 to confirm if the system has the relevant security updates installed. 3. Monitor Network Traffic: - Watch for outbound SMB traffic on unusual ports or to untrusted IP addresses using network monitoring tools. - Look for NTLM authentication attempts to external SMB servers. 4. Test for Vulnerability: - Use available Proof-of-Concept (PoC) tools from the following repositories: - https://github.com/ThemeHackers/CVE-2025-24071 - https://github.com/FOLKS-iwd/CVE-2025-24071-msfvenom - These tools can generate malicious .library-ms files to check if a system automatically initiates SMB authentication. |
| References | - https://github.com/ThemeHackers/CVE-2025-24071 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24071 - https://nvd.nist.gov/vuln/detail/CVE-2025-24071 - https://nsfocusglobal.com/windows-file-explorer-spoofing-vulnerability-cve-2025-24071/ |