CVE-2025-24071: 
vulnerability analysis and mitigation

CVE-2025-24071 is a security vulnerability discovered in Windows File Explorer that allows exposure of sensitive information to unauthorized actors. The vulnerability was disclosed on March 11, 2025, affecting various versions of Microsoft Windows operating systems including Windows 10, Windows 11, and Windows Server editions (NVD).

The vulnerability resides in how Windows Explorer handles '.library-ms' files within archives. When a specially crafted .library-ms file containing an SMB path is compressed within a RAR/ZIP archive and subsequently extracted, Windows Explorer automatically parses the contents due to its built-in indexing and preview mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges (NVD, Security Online).

The vulnerability allows attackers to capture NTLM hashes when victims extract specially crafted files. Upon extraction, Windows Explorer attempts to resolve SMB paths automatically to gather metadata and index file information, triggering an implicit NTLM authentication handshake from the victim's system to an attacker-controlled SMB server. This results in the exposure of the victim's NTLMv2 hash without requiring any explicit user interaction (Security Online).

Microsoft has addressed this vulnerability in their March 2025 Patch Tuesday release. Security updates are available for multiple Windows versions including Windows 10 (KB5053618, KB5053594, KB5053596, KB5053606), Windows 11 (KB5053602, KB5053598), and various Windows Server editions (Rapid7).