Windows Vulnerability CVE-2025-59284: Incomplete Patch Enables NetNTLM Hash Phishing During Archive Extraction

Introduction: The Unexpected Connection The discovery of CVE-2025-59284 originated from an unlikely source—a GNU manpage, a relic of Unix documentation. While investigating archive formats and their cross-platform behavior, a footnote in the tar manpage revealed that certain archives could trigger remote resource requests during extraction. This behavior, when replicated on Windows, exposed a critical vulnerability: the leakage of NetNTLM hashes during archive extraction. This flaw is not merely a technical oversight but a symptom of deeper systemic issues in vulnerability management, particularly in Microsoft’s patching process. The core issue lies in the incomplete nature of Microsoft’s patch for CVE-2025-59284. While intended to prevent NetNTLM hash leakage during archive extraction, the patch failed to address edge cases, such as archives containing embedded network paths. This oversight allows attackers to exploit the vulnerability, leveraging the NTLM authentication protocol to i