Listen to this Post
In the ever-evolving landscape of cybersecurity, understanding the intricacies of vulnerabilities is crucial. One such vulnerability, CVE-2025-24071, has recently come to light, involving the leakage of NTLM hashes during the extraction of RAR or ZIP files, particularly when dealing with `.library-ms` files. This vulnerability can be exploited by threat actors to gain unauthorized access to systems, making it a significant concern for IT professionals and cybersecurity experts.
You Should Know:
To better understand and mitigate this vulnerability, let’s delve into the technical details and practical steps you can take to protect your systems.
Understanding the Vulnerability:
CVE-2025-24071 exploits the way Windows handles `.library-ms` files during the extraction of compressed archives like RAR or ZIP. When a user extracts such an archive, the system may inadvertently send NTLM hashes to a remote server, which can then be captured by an attacker. This can lead to credential theft and further exploitation of the compromised system.
Practical Steps to Mitigate the Risk:
1. Disable WebClient Service:
The WebClient service is often used to handle WebDAV requests, which can be exploited in this vulnerability. Disabling this service can help mitigate the risk.
sc config WebClient start= disabled sc stop WebClient
2. Block Outbound SMB Traffic:
Since the vulnerability involves the leakage of NTLM hashes over SMB, blocking outbound SMB traffic can prevent the hashes from being sent to remote servers.
netsh advfirewall firewall add rule name="Block Outbound SMB" dir=out action=block protocol=TCP localport=445
3. Use Group Policy to Restrict .library-ms Files:
You can use Group Policy to restrict the creation and execution of `.library-ms` files, which are central to this vulnerability.
gpedit.msc
Navigate to `Computer Configuration -> Administrative Templates -> System -> Filesystem` and enable the policy to restrict `.library-ms` files.
4. Apply the Latest Security Patches:
Always ensure that your systems are up-to-date with the latest security patches. Microsoft may release a patch for this vulnerability, so keep an eye on their security updates.
wuauclt /detectnow /updatenow
5. Monitor Network Traffic:
Regularly monitor your network traffic for any unusual outbound SMB traffic, which could indicate an attempt to exploit this vulnerability.
tcpdump -i eth0 -n port 445
Conclusion:
CVE-2025-24071 is a critical vulnerability that underscores the importance of proactive cybersecurity measures. By understanding the technical details and implementing the practical steps outlined above, you can significantly reduce the risk of exploitation.
What Undercode Say:
In the realm of cybersecurity, staying ahead of threats requires constant vigilance and a deep understanding of potential vulnerabilities. CVE-2025-24071 is a stark reminder of how seemingly innocuous processes, like file extraction, can be exploited by threat actors. By disabling unnecessary services, blocking risky traffic, and applying the latest patches, you can fortify your defenses against such attacks.
Expected Output:
- Disable WebClient Service: `sc config WebClient start= disabled`
– Block Outbound SMB Traffic: `netsh advfirewall firewall add rule name=”Block Outbound SMB” dir=out action=block protocol=TCP localport=445`
– Apply Security Patches: `wuauclt /detectnow /updatenow`
– Monitor Network Traffic: `tcpdump -i eth0 -n port 445`For more detailed information and the Proof of Concept (PoC), you can visit the GitHub repository: CVE-2025-24071_PoC.
References:
Reported By: Abhirup Konwar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
