A zero-day vulnerability, CVE-2025-24054, has been discovered in Windows Explorer and is currently being exploited in the wild.
The vulnerability allows an attacker to force the Windows Explorer application to authenticate to a malicious SMB server, disclosing the NTLMv2-SSP hash in the process.
While the hash can be used for offline brute-forcing or NTLM relay attacks, it is more efficient to use the hash in relay attacks impersonating the authenticated user to other services.
To mitigate this, users should verify that their systems are running the most recent security updates and enforce best practices for Zero Trust architectures to limit the potential impact of these types of attacks.
This is especially pertinent for enterprises that still utilize NTLMv2, which has vulnerabilities dating back almost 30 years.