Microsoft this week announced that the preview feature is now disabled in Windows’s File Explorer for files downloaded from the internet, as an additional protection against NTLM hash leaks.
The change, rolled out as part of the October 2025 Patch Tuesday security updates, applies to all files that are marked with Mark of the Web (MotW).
Windows adds the MotW to files fetched via browser downloads or email attachments and warns users of the potential risk these files pose. For Office files, the system blocks macros, which could contain malicious code.
By disabling the preview of files downloaded from the internet, Microsoft seeks to prevent a security defect leading to NTLM hash leaks when a potentially unsafe file is previewed. Attackers can brute-force the leaked hash to retrieve a user’s password, or could mount relay attacks.
“This change mitigates a vulnerability where NTLM hash leakage might occur if users preview files containing HTML tags (such as <link>, <src>, and so forth) referencing external paths. Attackers could exploit this preview feature to capture sensitive credentials,” Microsoft explains.
The company does not say which flaw it tackles, but it appears that it could be CVE-2025-59214, which is described as a File Explorer spoofing issue and could allow attackers to leak sensitive information over the network.
The bug is a bypass for CVE-2025-50154, which in turn is a bypass for CVE-2025-24054, a zero-click NTLM credential leakage vulnerability that Microsoft attempted to resolve in March. CVE-2025-24054 has been exploited in the wild, including against government and private institutions in Poland and Romania.
The original bug could be triggered via malicious .library-ms files placed within a ZIP archive. When the user extracted the archive, Windows initiated an SMB authentication request to a remote server, leaking the NTLM hash.
Microsoft warned in March that simply selecting the malicious file or right-clicking it could trigger the vulnerability.
While analyzing the issue, Cymulate discovered the patch could be bypassed, and Microsoft in August rolled out a fresh round of fixes, assigning CVE-2025-50154 to the issue and saying that it existed because of a gap left by the original patch.
Shortly after, Cymulate found that these patches could be bypassed as well, and reported the weakness to Microsoft, which assigned CVE-2025-59214 to it.
Now, Microsoft says that disabling File Explorer’s preview feature for files downloaded from the internet should prevent the leak of NTLM hashes.
Following the October security patches, the File Explorer preview pane will warn users that the file they are attempting to preview could be harmful and that they should only open it if they trust its origin. The same applies to files viewed on an Internet Zone file share.
To remove the block, users need to right-click on the downloaded file, select Properties, and then Unblock. According to Microsoft, the change may not take effect until the next login.
Related: ‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability
Related: Patch Bypassed for Supermicro Vulnerability Allowing BMC Hack
Related: Critical Vulnerabilities Patched in TP-Link’s Omada Gateways
Related: ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
