In March 2025, a critical vulnerability identified as CVE-2025-24071 was discovered in Windows File Explorer, exposing systems to potential NTLM hash leakage without user interaction. This flaw underscores the delicate balance between user convenience and system security.

Background and Discovery

CVE-2025-24071 exploits Windows File Explorer's automatic processing of INLINECODE0 files—XML-based configurations that define library locations. Attackers can embed malicious SMB paths within these files inside compressed archives like RAR or ZIP. Upon extraction, Windows Explorer automatically parses these files, initiating an NTLM authentication handshake with an attacker-controlled SMB server, thereby leaking the user's NTLM hash. (securityonline.info)

Technical Details

  • Exploit Mechanism: An attacker crafts a INLINECODE1 file containing an SMB path pointing to a malicious server. When extracted, Windows Explorer's automatic processing triggers an NTLM authentication request to the attacker's server, transmitting the user's NTLM hash. (securityonline.info)
  • Impact: The leaked NTLM hash can be exploited in pass-the-hash attacks, allowing unauthorized access to network resources. The CVSS score of 7.5 categorizes this vulnerability as high-risk, necessitating prompt attention from users and IT administrators. (securityonline.info)

Affected Systems

The vulnerability affects multiple Windows versions, including:

  • Windows 10: Versions 1607, 1809, 21H2, 22H2, 23H2, and 24H2.
  • Windows 11: Versions 22H2, 23H2, and 24H2.
  • Windows Server: 2012 R2, 2016, 2019, 2022, and 2025. (securityonline.info)

Exploitation and Mitigation

A proof-of-concept exploit demonstrating this vulnerability was released on GitHub, highlighting the ease of exploitation. Microsoft addressed the issue in its March 2025 Patch Tuesday updates. Users are strongly advised to apply these updates immediately to mitigate potential risks. (securityonline.info)

Broader Implications

This incident highlights the need for vigilance in system configurations and the importance of timely updates. It also emphasizes the necessity of transitioning away from outdated authentication protocols like NTLM, which have been criticized for inherent vulnerabilities. (securityonline.info)

Conclusion

CVE-2025-24071 serves as a stark reminder of the complexities in balancing user convenience with system security. By understanding the technical details and promptly applying the necessary patches, users and organizations can safeguard their systems against such vulnerabilities.

Summary

CVE-2025-24071 is a critical vulnerability in Windows File Explorer that allows attackers to leak NTLM hashes without user interaction. Prompt application of security patches is essential to mitigate potential risks.

Meta Description

Explore CVE-2025-24071, a critical Windows File Explorer vulnerability exposing NTLM hashes, and learn about its impact and mitigation strategies.

Tags

cve-2025-24071, cybersecurity, ntlm hash, security, security patch, security vulnerability, vulnerability, windows file explorer

Reference Links