PoC Exploit Publicly Disclosed: Windows ‘libarchive’ Flaw Leaks NetNTLMv2 Hashes

Security researchers Len Sadowski and Oğuz Bektaş have publicly pulled back the curtain on a vulnerability within Windows’ implementation of libarchive. The flaw, tracked as CVE-2025-59284, demonstrates how a seemingly benign file extraction or opening can be weaponized to leak sensitive NetNTLMv2 hashes, potentially handing attackers the keys to corporate networks.

The researchers have publicly disclosed the full technical analysis and proof-of-concept (PoC) exploit code.

The vulnerability lies in the way Windows handles “reparse points”—metadata attached to files or directories that causes name resolutions to “replay” with new inputs. While Windows supports several link types, the researchers focused their efforts on hardlinks.

By crafting a malicious .tar archive containing specific hardlink structures, an attacker can force the system to reach out to a remote Universal Naming Convention (UNC) path the moment a victim attempts to open or extract the file.

“The CreateHardLinkW() API call indeed does reach out the target filepath before confirming its a remote UNC path. This results in a CreateFile call to the supplied UNC path and therefore a hashleak”.

The attack is particularly stealthy because it exploits the core functionality of the Windows file system. The researchers’ public PoC demonstrates a “hashleak upon any file opening or archive extraction”.

Once the victim interacts with the poisoned archive, the system’s attempt to resolve the hardlink triggers an authentication request to an attacker-controlled server. This request carries the user’s NetNTLMv2 hash, which can then be captured and cracked offline or used in “relay” attacks to impersonate the victim.

Following a responsible disclosure through the Zero Day Initiative (ZDI), Microsoft released a fix designed to mitigate the threat. However, Sadowski and Bektaş have raised concerns about the effectiveness of this solution.

The current patch introduces a warning window that appears when a user attempts to extract a hardlink pointing to a UNC path.

“The problem with that patch is, that it doesnt fix the underlying issue of the API-Call reaching out to a UNC Path, which (probably?) should never happen in the first place”.

The researchers warn that this “exploit still works if the user accepts the warning,” noting that many users might instinctively click “Yes” when trying to extract what looks like a harmless .txt file.

With the full details of CVE-2025-59284 now in the public domain, organizations are encouraged to move beyond simple reliance on the UI warning.