CISA Warns of Actively Exploited Windows NTLM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding an actively exploited vulnerability in Microsoft Windows, tracked as CVE-2025-24054, that enables attackers to steal sensitive authentication hashes with minimal user interaction.

The flaw, which affects the legacy NTLM (New Technology LAN Manager) authentication protocol, has been leveraged in a series of coordinated phishing campaigns targeting government and private organizations, particularly in Poland and Romania, since March 19, 2025.

What Is CVE-2025-24054?

CVE-2025-24054 is a medium-severity vulnerability (CVSS score: 6.5) in Windows Explorer that allows for NTLM hash disclosure via spoofing.

The exploit is triggered when a user interacts with a specially crafted .library-ms file—actions as simple as selecting, right-clicking, or merely navigating to the folder containing the malicious file can activate the exploit.

Once triggered, Windows initiates an SMB (Server Message Block) authentication request to a remote server controlled by the attacker, leaking the user’s NTLMv2-SSP hash.

How Are Attackers Exploiting the Flaw?

Threat actors have rapidly weaponized this vulnerability, launching phishing campaigns that distribute malicious .library-ms files through Dropbox links in emails.

In the initial wave, attackers bundled these files within ZIP archives.

However, subsequent campaigns have shown that even uncompressed .library-ms Files can trigger the exploit, requiring only minimal user interaction.

Captured NTLM hashes can be brute-forced offline to reveal user passwords or used in relay attacks, where attackers impersonate victims to access other network resources.

The risk is especially high if the compromised account holds elevated privileges, potentially enabling lateral movement and even full domain compromise in poorly protected environments.

Scope and Attribution

Check Point Research identified at least ten separate campaigns exploiting CVE-2025-24054 between March 19 and March 25, 2025.

The malicious SMB servers that collecting stolen credentials were hosted in Russia, Bulgaria, the Netherlands, Australia, and Turkey.

While one server was previously associated with the Russian state-sponsored group APT28 (Fancy Bear), no direct attribution has been confirmed for these campaigns.

The vulnerability is closely related to CVE-2024-43451, another NTLM hash disclosure flaw exploited in 2024, underscoring persistent weaknesses in NTLM-based authentication.

Microsoft’s Response and Mitigation

Microsoft released a patch for CVE-2025-24054 on March 11, 2025.

However, attackers began exploiting the flaw just eight days later, highlighting the critical importance of timely patch deployment.

CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and mandated that federal agencies apply the patch by May 8, 2025.

Organizations are strongly advised to:

• Apply Microsoft’s March 2025 security updates immediately.
• Disable NTLM authentication where possible, in favor of more secure protocols like Kerberos.
• Implement network protections such as SMB signing and NTLM relay mitigations.
• Educate users about phishing risks and the dangers of interacting with suspicious files.

The rapid exploitation of CVE-2025-24054 demonstrates how quickly threat actors can capitalize on newly discovered vulnerabilities, especially those requiring minimal user interaction.

Organizations must act swiftly to patch affected systems and strengthen authentication protocols to mitigate the risk of credential theft and network compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post CISA Warns of Actively Exploited Windows NTLM Vulnerability appeared first on Cyber Security News.