How Dangerous Is the Windows NTLM CVE-2025-24054 Flaw? Unpacking the Latest Exploit Threat

Are You Protected? Critical Windows NTLM Vulnerability CVE-2025-24054 Actively Exploited—What You Must Know

On March 11, 2025, Microsoft released a security update addressing CVE-2025-24054, a significant vulnerability affecting the Windows NTLM authentication protocol. Despite Microsoft’s initial assessment that exploitation was “less likely,” recent reports confirm that cybercriminals are now actively targeting this flaw in real-world attacks. This development underscores the urgent need for organizations and individuals to take protective action.

What Is CVE-2025-24054?

Type: NTLM Hash Disclosure Spoofing Vulnerability

Severity: CVSS v3 score of 6.5 (medium importance)

Affected Systems: All supported Windows versions, from Windows Server 2008 R2 through Windows Server 2025, Windows 10, and Windows 11

NTLM Overview: NTLM (New Technology LAN Manager) is a legacy Microsoft authentication protocol used to verify user identities and secure network communications. It is increasingly targeted due to its known weaknesses.

How Does the Vulnerability Work?

Attack Vector

The flaw stems from improper handling of file names or paths in NTLM, allowing an attacker to initiate spoofing attacks over a network.

User Interaction

Only minimal user interaction is required to trigger the exploit. Actions such as clicking, right-clicking, dragging, or simply viewing a folder containing a malicious file (not necessarily opening or executing it) can activate the vulnerability.

Exploitation Method

Attackers use specially crafted .library-ms files. When a user interacts with such a file, Windows may send NTLM authentication data (hashes) to a remote attacker-controlled server, exposing sensitive credentials.

Potential Impact

Once attackers obtain NTLM hashes, they can attempt to:

• Brute-force the hash offline to recover passwords
• Use relay attacks to impersonate users, escalate privileges, and move laterally within a network

Recent Exploitation and Attack Campaigns

Timeline

• Patch Released: March 11, 2025
• First Active Exploitation: Detected March 19, 2025, by Check Point Research
• Attack Campaigns: At least 10 separate campaigns observed within two weeks of the patch, targeting government and private organizations in Poland, Romania, and beyond

Attack Technique

Malicious emails (malspam) delivered Dropbox links containing ZIP files with booby-trapped .library-ms files. Simply extracting or viewing these files could trigger the vulnerability, leaking NTLM hashes to attacker-controlled SMB servers.

Attack Infrastructure

Malicious SMB servers collecting hashes were hosted in various countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey.

Why Is This Vulnerability So Dangerous?

Minimal User Action Needed

The exploit can be triggered by simple user actions—no need to open or run the malicious file.

Potential for Severe Breaches

If privileged accounts are compromised, attackers can escalate their access, move laterally, and potentially compromise entire domains.

Legacy Protocol Risk

NTLM, though deprecated, is still widely used, making many organizations vulnerable.

What Should You Do?

Immediate Actions

1. Apply Microsoft’s Security Updates: Ensure all Windows systems are patched with the latest updates released on March 11, 2025.
2. Educate Users: Train staff to avoid interacting with suspicious files, especially those received via email or downloaded from untrusted sources.
3. Enhance Network Protections:
   • Enable SMB signing and NTLM relay protections
   • Monitor for unusual SMB authentication attempts or outbound connections to unfamiliar servers
4. Consider Disabling NTLM: Where possible, migrate to more secure authentication protocols like Kerberos.

By understanding the risk and acting quickly, you can significantly reduce your exposure to this dangerous vulnerability.