CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure spoofing bug that was patched by Microsoft last month as part of its Patch Tuesday updates.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

NTLM is a legacy authentication protocol that Microsoft officially deprecated last year in favor of Kerberos. In recent years, threat actors have found various methods to exploit the technology, such as pass-the-hash and relay attacks, to extract NTLM hashes for follow-on attacks.

“Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network,” CISA said.

In a bulletin published in March, Microsoft said the vulnerability could be triggered by minimal interaction with a specially crafted .library-ms file, such as “selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file.”

The tech giant also credited Rintaro Koike with NTT Security Holdings, 0x6rss, and j00sean for discovering and reporting the flaw.

While Microsoft has given CVE-2025-24054 an exploitability assessment of “Exploitation Less Likely,” the security flaw has since come under active exploitation since March 19, per Check Point, thereby allowing bad actors to leak NTLM hashes or user passwords and infiltrate systems.

“Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania,” the cybersecurity company said. “Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.”

The flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.

According to Check Point, the file is distributed by means of ZIP archives, causing Windows Explorer to initiate an SMB authentication request to a remote server and leak the user’s NTLM hash without any user interaction simply upon downloading and extracting the archive’s contents.

That said, another phishing campaign observed as recently as March 25, 2025, has been found delivering a file named “Info.doc.library-ms” without any compression. Since the first wave of attacks, no less than 10 campaigns have been observed with the end goal of retrieving NTLM hashes from the targeted victims.

“These attacks leveraged malicious .library-ms files to collect NTLMv2 hashes and escalate the risk of lateral movement and privilege escalation within compromised networks,” Check Point said.

“This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments. The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks.”

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes for the shortcoming by May 8, 2025, to secure their networks in light of active exploitation.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.