We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)

April 17, 2025

CVE-2025-24054, a vulnerability concerning the disclosure of Windows NTLM hashes, has recently come under the spotlight as threat actors have begun exploiting it in campaigns targeting both government and private sectors in Poland and Romania. According to researchers at Check Point, active exploitation of this vulnerability has been observed since March 19, 2025, raising concerns about the potential for attackers to leak NTLM hashes or user passwords, thereby compromising systems.

About CVE-2025-24054

This vulnerability allows attackers to capture the NTLMv2 response, specifically the NTLMv2-SSP hash, sent from a victim’s machine to an attacker-controlled SMB server that initiated an authentication request. Once captured, attackers can either brute-force the hash offline or utilize it for relay attacks.

Check Point researchers elaborated on the nature of NTLM relay attacks, categorizing them as man-in-the-middle (MitM) attacks that exploit the NTLM authentication protocol. Instead of cracking a password, the attacker captures the hash and uses it to authenticate as the user with another service. This method becomes particularly perilous when the compromised credentials belong to a privileged user, as it facilitates privilege escalation and lateral movement within the network.

Initially disclosed to Microsoft by three researchers, CVE-2025-24054 was deemed “less likely” to be exploited. Microsoft had originally assigned it the identifier CVE-2025-24071 but later created a new identifier for clarity. Both vulnerabilities were patched on March 11, 2025. While both allow unauthorized spoofing over a network, CVE-2025-24054 requires only that the target interacts with a malicious file, rather than opening it, making it a more accessible attack vector. This vulnerability bears similarities to CVE-2024-43451, which was exploited as a zero-day to target Ukrainian entities in 2024.

The Spotted Attack Campaigns

Following the initial flagging of CVE-2025-24054, one of the researchers released a proof-of-concept (PoC) exploit and a technical write-up on March 16 and 18, respectively. Check Point researchers reported that the first attacks leveraging this vulnerability were detected on March 19, with campaigns targeting government and private institutions in Poland and Romania commencing shortly thereafter.

The campaign primarily involved phishing emails containing links to download an archive file. The archive, named xd.zip, was hosted on Dropbox and included files specifically designed to leak NTLMv2-SSP hashes. These files connected to a malicious SMB server with the IP address 159.196.128[.]120. Notably, one file triggered CVE-2025-24054, while another exploited CVE-2024-43451. Previous reports have linked this IP address to APT28, also known as Fancy Bear or Forest Blizzard.

By March 25, Check Point observed approximately ten additional campaigns aimed at extracting NTLMv2-SSP hashes from targeted victims. On that day, they noted a campaign targeting companies globally, with phishing emails meticulously crafted to deceive recipients into downloading attachments containing unzipped exploit files.

As soon as victims downloaded the exploit, their NTLMv2-SSP hashes were leaked, underscoring the urgency of addressing such vulnerabilities.

Fixes for CVE-2025-24054

While vulnerabilities of this nature are not typically categorized as high-risk compared to those leading to remote code execution, it is evident that some attackers are quick to exploit NTLM vulnerabilities. Therefore, prioritizing patches for these flaws is crucial, especially since NTLMv2 remains widely used for authentication despite Microsoft’s official deprecation of all NTLM versions last year, urging users to transition to Kerberos.

Microsoft has released patches for CVE-2025-24054 across all supported Windows and Windows Server versions. However, for users still operating on older, unsupported versions—such as Windows 7, Windows 10 v21H2, Windows Server 2008 R2, and Server 2012 R2—micropatching presents a viable solution.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!

Winsage
Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)