Microsoft this week introduced that the preview function is now disabled in Home windows’s File Explorer for information downloaded from the web, as an extra safety in opposition to NTLM hash leaks.
The change, rolled out as a part of the October 2025 Patch Tuesday safety updates, applies to all information which might be marked with Mark of the Net (MotW).
Home windows provides the MotW to information fetched through browser downloads or electronic mail attachments and warns customers of the potential threat these information pose. For Workplace information, the system blocks macros, which may include malicious code.
By disabling the preview of information downloaded from the web, Microsoft seeks to forestall a safety defect resulting in NTLM hash leaks when a probably unsafe file is previewed. Attackers can brute-force the leaked hash to retrieve a person’s password, or may mount relay assaults.
“This variation mitigates a vulnerability the place NTLM hash leakage may happen if customers preview information containing HTML tags (reminiscent of ,
The corporate doesn’t say which flaw it tackles, however it seems that it might be CVE-2025-59214, which is described as a File Explorer spoofing difficulty and will enable attackers to leak delicate info over the community.
The bug is a bypass for CVE-2025-50154, which in flip is a bypass for CVE-2025-24054, a zero-click NTLM credential leakage vulnerability that Microsoft tried to resolve in March. CVE-2025-24054 has been exploited within the wild, together with in opposition to authorities and personal establishments in Poland and Romania.
The unique bug might be triggered through malicious .library-ms information positioned inside a ZIP archive. When the person extracted the archive, Home windows initiated an SMB authentication request to a distant server, leaking the NTLM hash.
Microsoft warned in March that merely choosing the malicious file or right-clicking it may set off the vulnerability.
Whereas analyzing the problem, Cymulate found the patch might be bypassed, and Microsoft in August rolled out a contemporary spherical of fixes, assigning CVE-2025-50154 to the problem and saying that it existed due to a niche left by the unique patch.
Shortly after, Cymulate discovered that these patches might be bypassed as effectively, and reported the weak spot to Microsoft, which assigned CVE-2025-59214 to it.
Now, Microsoft says that disabling File Explorer’s preview function for information downloaded from the web ought to forestall the leak of NTLM hashes.
Following the October safety patches, the File Explorer preview pane will warn customers that the file they’re making an attempt to preview might be dangerous and that they need to solely open it in the event that they belief its origin. The identical applies to information considered on an Web Zone file share.
To take away the block, customers have to right-click on the downloaded file, choose Properties, after which Unblock. Based on Microsoft, the change could not take impact till the following login.
Associated: ‘Highest Ever’ Severity Rating Assigned by Microsoft to ASP.NET Core Vulnerability
Associated: Patch Bypassed for Supermicro Vulnerability Permitting BMC Hack
Associated: Essential Vulnerabilities Patched in TP-Hyperlink’s Omada Gateways
Associated: ICS Patch Tuesday: Fixes Introduced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
