A critical vulnerability in Microsoft Windows, identified as CVE-2025-24054, has been actively exploited since March 19, 2025. This flaw allows attackers to disclose NTLM hashes through spoofing, enabling the harvesting of sensitive user credentials with minimal interaction. Despite a patch released by Microsoft on March 11, 2025, threat actors have launched targeted campaigns against government and private institutions, particularly in Poland and Romania. The vulnerability affects Windows Explorer and is triggered by a maliciously crafted .library-ms file, which can initiate unauthorized Server Message Block (SMB) authentication requests to a remote server.
The exploitation of CVE-2025-24054 has been widespread, with approximately ten campaigns identified by March 25, 2025. These campaigns target victims' NTLMv2-SSP hashes via malicious SMB servers hosted in various countries, including Russia and Turkey. A notable campaign, dubbed "NTLM Exploits Bomb," targeted Polish and Romanian institutions using phishing emails containing Dropbox links to an archive named xd.zip. This archive triggered multiple exploits, including CVE-2025-24054, through files like xd.library-ms.
Microsoft's response to this vulnerability included a security update that prevents Windows Explorer from leaking NTLMv2-SSP hashes when processing malicious .library-ms files. However, the eight-day gap between the patch release and active exploitation highlights the need for rapid patch deployment. Organizations are urged to apply the patch immediately and implement additional security measures such as enforcing SMB signing and NTLM relay protections.
CVE-2025-24054 is a critical vulnerability in Microsoft Windows that allows NTLM hash disclosure through spoofing. This flaw can lead to privilege escalation and full network compromise if exploited. The vulnerability is triggered by a maliciously crafted .library-ms file that initiates unauthorized SMB authentication requests, leaking a user's NTLMv2-SSP hash without requiring the user to open or execute the file. Actions as simple as right-clicking or navigating to a folder containing the malicious file can activate the exploit.
The leaked NTLMv2-SSP hash can be brute-forced to reveal a user's password or used in NTLM relay attacks, allowing attackers to impersonate the victim and authenticate to other network services. If the compromised account holds elevated privileges, attackers could achieve lateral movement across a network or even full domain compromise. This vulnerability is particularly concerning in environments lacking robust protections like SMB signing.
The exploitation of CVE-2025-24054 poses significant risks to clients, including operational disruptions, data breaches, and financial consequences. The ability of attackers to harvest NTLM hashes with minimal interaction increases the likelihood of successful attacks, potentially leading to full network compromise. Organizations may face reputation damage and regulatory compliance issues if sensitive data is exposed or systems are disrupted.
From a compliance perspective, failure to address this vulnerability could result in audits or penalties due to non-compliance with data protection regulations. Clients are advised to prioritize patch deployment and implement additional security measures to mitigate these risks.
To mitigate the risks associated with CVE-2025-24054, clients should take the following actions:
These measures will help reduce exposure to this vulnerability and enhance overall security posture. As cybercriminals continue to refine their tactics, maintaining vigilance and responding rapidly to emerging threats remain critical.
1898 & Co. is actively addressing the current threat landscape by offering specialized services and solutions designed to mitigate emerging threats like CVE-2025-24054. Our team provides tailored security assessments and patch management services to ensure clients are protected against known vulnerabilities. We also offer advanced threat detection solutions that leverage real-time intelligence to identify and block potential exploits.
In collaboration with industry partners and government agencies, we are enhancing our threat intelligence capabilities to stay ahead of evolving cyber threats. Our ongoing research efforts focus on identifying new attack vectors and developing innovative mitigation strategies. Through case studies and real-world examples, we demonstrate the effectiveness of our solutions in safeguarding client systems and data.