Sunday, May 4, 2025
HomeCyber Security NewsWindows NTLM Vulnerability (CVE-2025-24054) Actively Exploit in the Wild to Hack Systems

Windows NTLM Vulnerability (CVE-2025-24054) Actively Exploit in the Wild to Hack Systems

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability in Microsoft Windows, identified as CVE-2025-24054, has been actively exploited in the wild since March 19, 2025, targets organizations worldwide.

The flaw, which enables NTLM hash disclosure through spoofing, allows attackers to harvest sensitive user credentials with minimal interaction, potentially leading to privilege escalation and full network compromise.

Despite Microsoft releasing a patch on March 11, 2025, threat actors quickly capitalized on the window of opportunity, launching targeted campaigns against government and private institutions, particularly in Poland and Romania.

- Advertisement - Google News

The Windows NTML vulnerability : CVE-2025-24054

CVE-2025-24054 affects Windows Explorer and is triggered by a maliciously crafted .library-ms file, which can initiate an unauthorized Server Message Block (SMB) authentication request to a remote server.

This process leaks a user’s NTLMv2-SSP hash a cryptographic response used in the NTLM (New Technology LAN Manager) authentication protocol—without requiring the user to open or execute the file.

Actions as simple as right-clicking, dragging and dropping, or navigating to a folder containing the malicious file can activate the exploit.

The leaked NTLMv2-SSP hash can be brute-forced to reveal a user’s password or used in NTLM relay attacks, a type of man-in-the-middle exploit that allows attackers to impersonate the victim and authenticate to other network services.

If the compromised account holds elevated privileges, attackers could achieve lateral movement across a network or even full domain compromise, especially in environments lacking robust protections like SMB signing.

This vulnerability bears striking similarities to a previously patched flaw, CVE-2024-43451, exploited in 2024 to target Ukrainian entities.

Both vulnerabilities highlight persistent weaknesses in NTLM authentication, despite Microsoft’s efforts to bolster security with NTLMv2, which mitigates older risks like pass-the-hash and rainbow table attacks.

Exploitation in the Wild

Just eight days after Microsoft’s patch, Check Point Research identified the first campaign exploiting CVE-2025-24054.

By March 25, 2025, approximately ten campaigns had emerged, targeting victims’ NTLMv2-SSP hashes via malicious SMB servers hosted in countries including Russia, Bulgaria, the Netherlands, Australia, and Turkey.

A notable campaign, dubbed the “NTLM Exploits Bomb,” unfolded between March 20 and 21, 2025, targeting Polish and Romanian government and private institutions.

Attackers distributed phishing emails containing Dropbox links to an archive named xd.zip. Once unzipped, the archive triggered multiple exploits, including CVE-2025-24054, through files like xd.library-ms, which connected to a malicious SMB server at IP address 159.196.128.120.

Additional files, such as xd.url, xd.website, and xd.lnk, exploited related vulnerabilities, including CVE-2024-43451, to harvest credentials via SMB connections.

Initial reports suggested that unzipping the archive was necessary to trigger the exploit.

However, Microsoft’s documentation and subsequent findings revealed that even minimal interactions such as navigating to the folder containing the malicious file could activate it.

On March 25, 2025, Check Point Research uncovered a separate campaign distributing unzipped .library-ms files, further amplifying the threat by eliminating the need for extraction.

Microsoft’s Response and Mitigation

Microsoft addressed CVE-2025-24054 in its March 11, 2025, security update, initially assigning it the identifier CVE-2025-24071 before updating it to CVE-2025-24054.

The patch prevents Windows Explorer from leaking NTLMv2-SSP hashes when processing malicious .library-ms files.

However, the eight-day gap between the patch release and active exploitation highlights the critical need for rapid patch deployment.

Check Point’s Threat Emulation and Harmony Endpoint solutions offer protection against these attacks, detecting and blocking the exploit under the signature Exploit.Wins.CVE_2025_24054.A.

Organizations are urged to apply the patch immediately, enforce SMB signing, and implement NTLM relay protections to mitigate risks. Disabling NTLM in favor of more secure protocols like Kerberos, where feasible, can further reduce exposure.

The ease with which NTLM hashes can be harvested and weaponized underscores the need to phase out legacy authentication protocols and adopt modern, secure alternatives.

As cybercriminals continue to refine their tactics, vigilance and rapid response remain critical to safeguarding sensitive systems and data.

Indicators of Compromise

DescriptionValue
Archive NTLM Exploits Bomb9ca72d969d7c5494a30e996324c6c0fcb72ae1ae
xd.website84132ae00239e15b50c1a20126000eed29388100
xd.url76e93c97ffdb5adb509c966bca22e12c4508dcaa
xd.library-ms7dd0131dd4660be562bc869675772e58a1e3ac8e
xd.lnk5e42c6d12f6b51364b6bfb170f4306c5ce608b4f
NTLM Exploits Bomb Endpoint159.196.128[.]120
Unzipped Exploits054784f1a398a35e0c5242cbfa164df0c277da73
7a43c177a582c777e258246f0ba818f9e73a69ab
Unzipped Campaign Endpoint194.127.179[.]157

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks,...

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks,...