About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has likely been available for purchase since November 2024.

The point is this. When Windows File Explorer detects a .library-ms file in a folder, it automatically starts parsing it. If the file contains a link to a remote SMB share, an NTLM authentication handshake begins. An attacker controlling the SMB share can intercept the NTLMv2 hash, crack it, or use it in pass-the-hash attacks.

But how does an attacker deliver such a file to the victim? It turns out that just extracting a ZIP/RAR archive with the file is enough to trigger the exploit. No need to open the file.

This is super effective for phishing. 😱

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.