A single unassuming ZIP archive can now become a weapon to steal Windows credentials, thanks to a newly patched flaw in Windows File Explorer. Microsoft's March 11, 2025 Patch Tuesday update fixed a spoofing vulnerability that forced Explorer to silently connect to remote SMB servers, leaking NTLM challenge/response data — the cryptographic material attackers need to crack passwords or move laterally across networks. Tracked publicly as CVE-2025-50154, the bug turns a routine file extraction into a covert authentication handshake with an attacker-controlled server, and proof-of-concept code circulating within days of disclosure has made exploitation trivial.
The vulnerability is yet another reminder that decades-old protocols like NTLM still haunt enterprise environments, and that the automatic, background behaviors we take for granted in the Windows user interface can be twisted into attack vectors. This article dissects how the exploit works, which systems are affected, how to detect it, and what steps IT teams must take immediately to avoid credential compromise.
A Flaw in the File Browser’s Deepest Routine
At its core, the weakness lives in File Explorer’s eagerness to parse file metadata. When a user extracts an archive — say, a ZIP or RAR file — Windows automatically inspects the contents to generate thumbnails, extract metadata, or index them for search. The operating system does this through multiple processes: not just Explorer.exe, but also the indexing engine (SearchProtocolHost.exe) and other shell components. If one of those files contains a specially crafted reference to a remote SMB path, Explorer reaches out to that path without any user prompt or warning.
The attack works like this: an attacker creates a malicious archive containing a file — commonly a .library-ms file — with a metadata field that points to an SMB share on a remote server, such as \\attacker.example\share. When the victim extracts the archive, Windows’ automatic parsing kicks in, and Explorer or SearchProtocolHost attempts to resolve the UNC path. This triggers a standard SMB authentication handshake. Even if the user never explicitly provides credentials, Windows may initiate an NTLM challenge/response exchange. The attacker’s server captures this exchange, gaining the NTLMv2 hash and challenge data, which can be cracked offline or relayed to other services in a pass-the-hash attack.
Because the entire sequence happens silently in the background — no dialog box, no security prompt — victims have no indication that their machine just handed over sensitive material. The attack requires user interaction (opening or extracting the archive), but that’s a bar easily cleared by phishing campaigns, malicious downloads, or simply placing the archive on a shared drive where multiple users might open it.
Scope, Severity, and Timeline
The vulnerability affects a broad swath of Windows client and server editions where File Explorer handles metadata parsing. Microsoft released fixes for Windows 10, Windows 11, and supported Windows Server versions in the March 11, 2025 cumulative updates. While the company classified the bug as an important spoofing issue leading to information disclosure, practical risk assessments peg it higher because of the ease with which NTLM material can be weaponized.
- Affected components: File Explorer (Explorer.exe), Windows Search indexing (SearchProtocolHost.exe), and related shell infrastructure.
- CVSS metrics: Published scores place the flaw in the medium-to-high range. The attack vector is network, the complexity is low, and the confidentiality impact is high. User interaction is required, but the absence of any privilege requirement keeps the severity grounded.
- Disclosure timeline: Coordinated disclosure led to a March 11, 2025 patch. Within days, multiple researchers released functional proof-of-concept code. By late March, unverified reports suggested exploit kits were being offered on underground forums, though confident attribution remains elusive.
The proof-of-concept landscape is particularly dangerous. A simple script can generate a malicious archive, and a basic SMB listener can capture credentials — no custom malware or deep kernel exploits required. That low barrier means any organization still allowing outbound SMB from endpoints or relying on NTLM authentication is a soft target.
Technical Breakdown: From Archive to Leaked Hash
The Malicious File
Attackers embed a .library-ms file, or another metadata-rich format that Explorer parses automatically, inside a common archive. The file’s metadata includes an iconResource or similar field pointing to a UNC path. Variants may use other file types, but the goal is always to force a network lookup during automatic processing.
The Trigger
When the user extracts the archive, Windows Shell or the indexing service opens each file to build thumbnails and collect metadata. As soon as it encounters the crafted file, it tries to enumerate the remote SMB path. This attempt generates SMB traffic and, typically, an NTLM authentication attempt.
The Handshake
The attacker’s server responds to the SMB negotiate request and issues an NTLM challenge. If the victim’s machine is configured to send NTLM credentials (the default for many environments), the SMB client sends back an authenticated response. This response contains the user’s NTLMv2 hash, timestamp, and challenge, which an attacker can capture for offline cracking or relay attacks.
The Payload
With a captured NTLMv2 hash, an attacker can attempt to crack the user’s password if it is weak, or use the hash in a pass-the-hash attack against other systems that still honor NTLM. In networks where Kerberos is not enforced, this could lead to lateral movement and full domain compromise.
Proof-of-Concept and Real-World Exploitation
Public PoCs surfaced within 72 hours of the Patch Tuesday release. One researcher demonstrated a Python script that generates a weaponized ZIP and a corresponding SMB listener that prints captured hashes to the console. Another provided a Metasploit module. These tools require no special privileges on the target machine — just a user who can open an archive.
Reports of in-the-wild exploitation remain patchy, but incident response teams have observed several common patterns:
- Phishing emails containing password-protected ZIPs that victims are instructed to extract.
- Malicious archives planted on public-facing file shares or SharePoint sites.
- Exploit chaining where the SMB callback is used to fingerprint internal network segments before delivering a more sophisticated payload.
Because the exploit can be performed over the internet if the victim’s endpoint allows outbound SMB, initial compromise often comes from commodity attacks that cast a wide net. Security telemetry from multiple vendors shows a spike in outbound SMB connections to newly registered domains and bulletproof hosting IPs in the weeks following disclosure.
Detection and Hunting Guidance
Detecting exploitation requires correlation of process behavior, network activity, and authentication logs. No single log source tells the whole story.
Endpoint Monitoring
- Flag Explorer.exe or SearchProtocolHost.exe initiating outbound TCP connections on port 445 (SMB) to any IP address outside the known file-server list.
- Monitor parent-child process chains where an archive extraction tool (7z.exe, WinRAR.exe, or Explorer itself extracting via zipfldr.dll) is immediately followed by a network connection from those processes.
- Use Sysmon Event ID 3 (NetworkConnect) and Event ID 22 (DNSEvent) to capture unusual domain resolutions. Many PoCs use dynamic DNS domains for the SMB listener.
Network Telemetry
- Configure perimeter firewalls to block outbound SMB (TCP 445) from client subnets to the internet. This is a long-standing best practice that should be enforced regardless.
- Deploy internal network sensors that log any SMB connection attempts to IP addresses not associated with authorized file servers. Look for sudden spikes in traffic to a single external host.
- DNS queries for suspicious domains that mimic corporate names or contain “smb”, “capture”, or “hash” are red flags.
Authentication Logs
- On domain controllers, monitor Event ID 4776 (NTLM authentication attempted). Cross-reference the source workstation and the target server. An NTLM attempt to a non-standard server, especially one that triggers multiple failed logons, is suspicious.
- Correlate with Event ID 4624/4625 on the target system. A successful network logon from an Explorer process with a type 3 (network) logon to an untrusted server merits investigation.
- Enable NTLM auditing in pilot mode using Group Policy: Network Security: Restrict NTLM: Audit NTLM authentication in this domain and analyze logs before enforcing blocks.
Deception Technologies
- Plant internal honeypot SMB shares that have no legitimate business purpose. Any access attempt, particularly from Explorer processes, is likely evidence of an attacker replaying captured credentials or testing lateral movement.
A practical hunting query: Identify all outbound SMB connections from client systems in the last 24 hours. For each, examine the process tree for an extraction event in the preceding five minutes. Any match should generate a high-priority alert.
Immediate Mitigations and Patch Deployment
The single most effective countermeasure is deploying the March 11, 2025 cumulative update. Microsoft made the fix available through Windows Update, WSUS, the Update Catalog, and management tools. For organizations that cannot patch immediately, the following compensating controls significantly reduce risk:
- Block outbound SMB (TCP 445) at the network edge for all client subnets. Use host-based firewalls to enforce this on sensitive endpoints, especially those used by executives or IT administrators.
- Enforce SMB signing via Group Policy (
Microsoft network client: Digitally sign communications (always)). This prevents SMB relay and tampering but does not stop hash capture. - Restrict NTLM usage using Group Policy settings (
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers). Audit first, then deny NTLM to all but explicitly whitelisted internal servers. - Disable automatic archive extraction features where possible. Group Policy can control some indexing behaviors, and third-party endpoint security products can sandbox extraction operations.
- User awareness: Remind employees not to open or extract archives from untrusted sources. For high-risk users, consider temporarily blocking archive file types at the email gateway.
Patching in large environments involves its own risks. Several organizations reported Blue Screen of Death (BSOD) issues on specific hardware configurations with the March 2025 cumulative updates. IT teams should test the patch on representative hardware, stage rollouts, and have a rapid uninstall plan. The trade-off is real: a patch that causes downtime is problematic, but leaving the NTLM exposure open is far worse.
The Long View: Dismantling Legacy Trust
CVE-2025-50154 is not an exotic zero-day springing from a complex logic error; it’s the logical consequence of two deeply entrenched design choices: automatic file parsing by the UI layer, and the continued reliance on a 1990s authentication protocol. Both need to go.
Migrate away from NTLM. Microsoft has been telling enterprises to adopt Kerberos for decades, and yet NTLM remains enabled by default. Every organization should have a clear roadmap to eliminate NTLM where possible. Modern Windows versions support Kerberos armor and claim-based authentication, but legacy applications frequently force a fallback. Identify those dependencies, refactor them, and actively monitor for NTLM traffic.
Sandbox automatic parsing. File Explorer and its indexing cousins should not have unrestricted network access. Windows already includes AppContainer sandboxing for many components; extending it to metadata extraction would cap the damage. For now, third-party endpoint design can restrict which processes may initiate SMB or NTLM traffic.
Embrace Zero Trust. Assume that any file, any share, and any network connection is hostile until verified. Implement network segmentation that isolates user endpoints from server-to-server SMB traffic, and require explicit authentication decisions for any outbound SMB connection.
Integrate telemetry. The data to detect this attack exists — process creation, network connections, authentication events — but most organizations do not correlate them in real time. Invest in a SIEM or XDR platform that can stitch these signals together and generate high-fidelity alerts when an Explorer process reaches out to a novel SMB destination.
What to Tell Stakeholders
- To the CIO/CISO: This is a patch-now situation. The ease of exploitation and the prevalence of NTLM make this a priority equal to critical CVEs. Allocate resources for an accelerated patch cycle, and begin auditing NTLM usage immediately.
- To the SOC: Update detection rules to monitor the new attack indicators. Deploy NTLM audit policies and prepare to escalate any anomalies. Brief analysts on the kill chain: archive extraction → Explorer outbound SMB → NTLM event on a DC.
- To end users: Do not open unexpected archive attachments, even from known contacts, until your IT team confirms the patch is applied. If you must extract an archive from an external source, disconnect from the network first.
The bottom line is stark: a design that was meant to make file browsing seamless has become a credential pipeline for attackers. The March 2025 update slams that door shut, but the incident is a clarion call to rethink how Windows handles untrusted content and how enterprises manage legacy authentication. Patching and mitigation can limit immediate damage; architectural changes will prevent the next variation.