A critical vulnerability in Microsoft Windows, identified as CVE-2025-24054, has been actively exploited in the wild since March 19, 2025, targets organizations worldwide.
The flaw, which enables NTLM hash disclosure through spoofing, allows attackers to harvest sensitive user credentials with minimal interaction, potentially leading to privilege escalation and full network compromise.
Despite Microsoft releasing a patch on March 11, 2025, threat actors quickly capitalized on the window of opportunity, launching targeted campaigns against government and private institutions, particularly in Poland and Romania.
.png
)
The Windows NTML vulnerability : CVE-2025-24054
CVE-2025-24054 affects Windows Explorer and is triggered by a maliciously crafted .library-ms file, which can initiate an unauthorized Server Message Block (SMB) authentication request to a remote server.
This process leaks a user’s NTLMv2-SSP hash a cryptographic response used in the NTLM (New Technology LAN Manager) authentication protocol—without requiring the user to open or execute the file.
Actions as simple as right-clicking, dragging and dropping, or navigating to a folder containing the malicious file can activate the exploit.
The leaked NTLMv2-SSP hash can be brute-forced to reveal a user’s password or used in NTLM relay attacks, a type of man-in-the-middle exploit that allows attackers to impersonate the victim and authenticate to other network services.
If the compromised account holds elevated privileges, attackers could achieve lateral movement across a network or even full domain compromise, especially in environments lacking robust protections like SMB signing.
This vulnerability bears striking similarities to a previously patched flaw, CVE-2024-43451, exploited in 2024 to target Ukrainian entities.
Both vulnerabilities highlight persistent weaknesses in NTLM authentication, despite Microsoft’s efforts to bolster security with NTLMv2, which mitigates older risks like pass-the-hash and rainbow table attacks.
Exploitation in the Wild
Just eight days after Microsoft’s patch, Check Point Research identified the first campaign exploiting CVE-2025-24054.
By March 25, 2025, approximately ten campaigns had emerged, targeting victims’ NTLMv2-SSP hashes via malicious SMB servers hosted in countries including Russia, Bulgaria, the Netherlands, Australia, and Turkey.
A notable campaign, dubbed the “NTLM Exploits Bomb,” unfolded between March 20 and 21, 2025, targeting Polish and Romanian government and private institutions.
Attackers distributed phishing emails containing Dropbox links to an archive named xd.zip. Once unzipped, the archive triggered multiple exploits, including CVE-2025-24054, through files like xd.library-ms, which connected to a malicious SMB server at IP address 159.196.128.120.
Additional files, such as xd.url, xd.website, and xd.lnk, exploited related vulnerabilities, including CVE-2024-43451, to harvest credentials via SMB connections.
Initial reports suggested that unzipping the archive was necessary to trigger the exploit.
However, Microsoft’s documentation and subsequent findings revealed that even minimal interactions such as navigating to the folder containing the malicious file could activate it.
On March 25, 2025, Check Point Research uncovered a separate campaign distributing unzipped .library-ms files, further amplifying the threat by eliminating the need for extraction.
Microsoft’s Response and Mitigation
Microsoft addressed CVE-2025-24054 in its March 11, 2025, security update, initially assigning it the identifier CVE-2025-24071 before updating it to CVE-2025-24054.
The patch prevents Windows Explorer from leaking NTLMv2-SSP hashes when processing malicious .library-ms files.
However, the eight-day gap between the patch release and active exploitation highlights the critical need for rapid patch deployment.
Check Point’s Threat Emulation and Harmony Endpoint solutions offer protection against these attacks, detecting and blocking the exploit under the signature Exploit.Wins.CVE_2025_24054.A.
Organizations are urged to apply the patch immediately, enforce SMB signing, and implement NTLM relay protections to mitigate risks. Disabling NTLM in favor of more secure protocols like Kerberos, where feasible, can further reduce exposure.
The ease with which NTLM hashes can be harvested and weaponized underscores the need to phase out legacy authentication protocols and adopt modern, secure alternatives.
As cybercriminals continue to refine their tactics, vigilance and rapid response remain critical to safeguarding sensitive systems and data.
Indicators of Compromise
| Description | Value |
|---|---|
| Archive NTLM Exploits Bomb | 9ca72d969d7c5494a30e996324c6c0fcb72ae1ae |
| xd.website | 84132ae00239e15b50c1a20126000eed29388100 |
| xd.url | 76e93c97ffdb5adb509c966bca22e12c4508dcaa |
| xd.library-ms | 7dd0131dd4660be562bc869675772e58a1e3ac8e |
| xd.lnk | 5e42c6d12f6b51364b6bfb170f4306c5ce608b4f |
| NTLM Exploits Bomb Endpoint | 159.196.128[.]120 |
| Unzipped Exploits | 054784f1a398a35e0c5242cbfa164df0c277da73 7a43c177a582c777e258246f0ba818f9e73a69ab |
| Unzipped Campaign Endpoint | 194.127.179[.]157 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
