Microsoft this week introduced that the preview characteristic is now disabled in Home windows’s File Explorer for recordsdata downloaded from the web, as a further safety towards NTLM hash leaks.
The change, rolled out as a part of the October 2025 Patch Tuesday safety updates, applies to all recordsdata which might be marked with Mark of the Net (MotW).
Home windows provides the MotW to recordsdata fetched through browser downloads or e mail attachments and warns customers of the potential danger these recordsdata pose. For Workplace recordsdata, the system blocks macros, which might comprise malicious code.
By disabling the preview of recordsdata downloaded from the web, Microsoft seeks to forestall a safety defect resulting in NTLM hash leaks when a doubtlessly unsafe file is previewed. Attackers can brute-force the leaked hash to retrieve a person’s password, or might mount relay assaults.
“This transformation mitigates a vulnerability the place NTLM hash leakage would possibly happen if customers preview recordsdata containing HTML tags (akin to , , and so forth) referencing exterior paths. Attackers might exploit this preview characteristic to seize delicate credentials,” Microsoft explains.
The corporate doesn’t say which flaw it tackles, however it seems that it may very well be CVE-2025-59214, which is described as a File Explorer spoofing subject and will enable attackers to leak delicate data over the community.
The bug is a bypass for CVE-2025-50154, which in flip is a bypass for CVE-2025-24054, a zero-click NTLM credential leakage vulnerability that Microsoft tried to resolve in March. CVE-2025-24054 has been exploited within the wild, together with towards authorities and personal establishments in Poland and Romania.
The unique bug may very well be triggered through malicious .library-ms recordsdata positioned inside a ZIP archive. When the person extracted the archive, Home windows initiated an SMB authentication request to a distant server, leaking the NTLM hash.Commercial. Scroll to proceed studying.
Microsoft warned in March that merely choosing the malicious file or right-clicking it might set off the vulnerability.
Whereas analyzing the problem, Cymulate found the patch may very well be bypassed, and Microsoft in August rolled out a recent spherical of fixes, assigning CVE-2025-50154 to the problem and saying that it existed due to a niche left by the unique patch.
Shortly after, Cymulate discovered that these patches may very well be bypassed as effectively, and reported the weak spot to Microsoft, which assigned CVE-2025-59214 to it.
Now, Microsoft says that disabling File Explorer’s preview characteristic for recordsdata downloaded from the web ought to stop the leak of NTLM hashes.
Following the October safety patches, the File Explorer preview pane will warn customers that the file they’re trying to preview may very well be dangerous and that they need to solely open it in the event that they belief its origin. The identical applies to recordsdata seen on an Web Zone file share.
To take away the block, customers must right-click on the downloaded file, choose Properties, after which Unblock. In accordance with Microsoft, the change might not take impact till the following login.
Associated: ‘Highest Ever’ Severity Rating Assigned by Microsoft to ASP.NET Core Vulnerability
Associated: Patch Bypassed for Supermicro Vulnerability Permitting BMC Hack
Associated: Crucial Vulnerabilities Patched in TP-Hyperlink’s Omada Gateways
Associated: ICS Patch Tuesday: Fixes Introduced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
