Windows NTLM Hash Leak CVE-2025-24054 Under Active Exploitation: Patch Now to Prevent Credential Theft

A newly discovered Windows vulnerability, CVE-2025-24054, is being actively exploited by threat actors to steal NTLM hashes and compromise user credentials. The flaw, affecting all supported Windows versions, enables attackers to trigger NTLM hash leaks with minimal user interaction—often just by extracting or previewing a malicious .library-ms file from a ZIP archive. Exploitation has been observed in targeted phishing campaigns against government and private organizations since March 2025.

What is CVE-2025-24054?

CVE-2025-24054 is a medium-severity vulnerability (CVSS 6.5) in Windows Explorer’s handling of .library-ms files. When a user extracts a ZIP archive containing a malicious .library-ms file, Windows Explorer may automatically initiate an SMB authentication request to a remote attacker-controlled server, leaking the user’s NTLMv2-SSP hash. Attackers can then brute-force these hashes or relay them for lateral movement and privilege escalation—especially if the compromised account has elevated privileges.

Microsoft released a patch for this vulnerability on March 11, 2025. However, active exploitation was observed as early as March 19, with multiple phishing campaigns leveraging the flaw by March 25. Malicious SMB servers used in these attacks have been traced to infrastructure in Russia, Bulgaria, the Netherlands, Australia, and Turkey.

How Does the Attack Work?

1. The attacker sends a phishing email containing a ZIP archive with a crafted .library-ms file.
2. The victim extracts or even just previews the file in Windows Explorer.
3. Windows Explorer initiates an SMB authentication request to the attacker’s remote server, leaking the NTLM hash.
4. The attacker can attempt to crack the hash offline or relay it for unauthorized network access.

This vulnerability is closely related to CVE-2024-43451, which was exploited in similar attacks in late 2024.

Who is Affected?

• All supported versions of Microsoft Windows are vulnerable prior to the March 2025 patch.
• Organizations and individuals who have not applied the latest Windows updates are at immediate risk.
• High-value targets include government agencies and enterprises, but opportunistic attacks are possible against any unpatched system.

Mitigation and Recommendations

• Apply Microsoft’s March 2025 Patch Immediately: Ensure all Windows systems are fully updated.
• Block Outbound SMB Traffic: Restrict outbound SMB connections to prevent NTLM hash leaks to remote servers.
• User Awareness: Train users to avoid interacting with unexpected ZIP archives or suspicious email attachments.
• Network Protections: Enable SMB signing and NTLM relay protections, especially for privileged accounts.

Timeline

• March 11, 2025: Microsoft releases patch for CVE-2025-24054.
• March 19, 2025: First observed exploitation in the wild (Check Point Research).
• March 20–25, 2025: Multiple phishing campaigns target European institutions.
• April 18, 2025: CISA adds CVE-2025-24054 to Known Exploited Vulnerabilities Catalog.

Sources

1. Microsoft Security Advisory: CVE-2025-24054
2. Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
3. NIST NVD: CVE-2025-24054

Related Articles

• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824: What You Need to Know
• CVE Program Faces Funding Crisis: Critical Cybersecurity Infrastructure at Risk