Cybercriminals are currently taking advantage of a significant vulnerability in Windows systems, designated as CVE-2025-24054. This flaw exploits NTLM hash disclosure through sophisticated spoofing techniques, posing a serious threat to network security.
The vulnerability is tied to NTLM (New Technology LAN Manager) authentication protocols, allowing attackers to leak NTLM hashes. This can lead to privilege escalation and lateral movement within compromised networks, making it a critical concern for organizations relying on these systems.
NTLM is a suite of authentication protocols developed by Microsoft to verify user identities and secure network communications. Although NTLMv2 offers enhanced security compared to its predecessors, vulnerabilities persist, particularly when attackers manipulate the transmission or disclosure of hashes.
CVE-2025-24054 specifically involves the external control of file names or paths in Windows. This enables malicious actors to trigger SMB (Server Message Block) authentication requests that inadvertently leak NTLMv2-SSP hashes during routine file operations. The flaw is activated when a user extracts a ZIP archive containing a malicious .library-ms file, prompting Windows Explorer to initiate an SMB authentication request to a remote server.
This process can inadvertently expose the user’s NTLM hash, which attackers can capture for further malicious activities. Alarmingly, the exploit can be triggered with minimal user interaction, such as right-clicking, dragging, dropping, or merely navigating to a folder containing the malicious file.
Active Exploitation of Vulnerability in the Wild
Despite the release of a security patch on March 11, 2025, threat actors began exploiting CVE-2025-24054 within days. Check Point Research first noted malicious campaigns leveraging this vulnerability around March 20–21, 2025.
These campaigns primarily targeted government and private institutions in Poland and Romania, utilizing spear-phishing emails that contained ZIP archives and embedded malicious files. Once victims interacted with these files—by unzipping or clicking them—the exploit was triggered, leading to the leakage of NTLM hashes.
The malicious archives included various file types, such as .library-ms, .url, .website, and .lnk files, all designed to initiate SMB connections to servers controlled by attackers. These connections exposed NTLMv2-SSP hashes, which could then be exploited for pass-the-hash attacks, relay attacks, or privilege escalation within the network.
The campaigns appeared highly targeted, focusing on harvesting NTLM hashes for subsequent lateral movement or privilege escalation. The stolen hashes were sent to malicious SMB servers located in several countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey. This sophisticated approach suggests that the threat actors are likely linked to state-sponsored groups with advanced capabilities.
One notable campaign involved distributing malicious files via email links from Dropbox. When users interacted with these links, the vulnerability was exploited, leading to the leakage of hashes. The focus on government agencies in Poland and Romania underscores the geopolitical significance and potential for espionage or sabotage.
The exploit takes advantage of how Windows Explorer handles ZIP archives containing malicious files. When a user extracts such an archive, Windows initiates SMB authentication requests to remote servers specified within the malicious files. These requests leak NTLMv2-SSP hashes without requiring extensive user interaction, making the attack particularly insidious. Attackers can then use these hashes to authenticate as legitimate users, often with elevated privileges, facilitating lateral movement and network compromise.
Mitigations
Microsoft’s prompt patching of CVE-2025-24054 was a crucial step; however, the rapid exploitation indicates that organizations must act swiftly to mitigate risks. Key recommendations include:
- Applying patches immediately: Ensure all affected systems are updated to the latest security patches.
- Enhancing network defenses: Implement SMB signing, relay protections, and monitor SMB traffic for unusual activity.
- User awareness: Educate users about the risks of opening untrusted archives or clicking on suspicious files.
- Network segmentation: Limit SMB traffic between segments to reduce the attack surface.
- Regular security audits: Conduct vulnerability assessments and monitor for signs of compromise.
The exploitation of CVE-2025-24054 exemplifies how attackers leverage seemingly benign file operations to leak sensitive authentication hashes, facilitating deeper infiltration into target networks. The swift transition from patch release to active exploitation underscores the importance of rapid response and proactive security measures.
As threat actors continue to refine their tactics, organizations must prioritize timely patching, robust network security, and user education to defend against such sophisticated spoofing and hash disclosure attacks.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
