🚨 CVE-2025-24054: Windows NTLM Hash Leak – Attackers Are Exploiting It NOW

Heads up, Windows admins! A nasty vulnerability, tagged CVE-2025-24054, is making waves, and not the good kind. This flaw lets attackers snatch sensitive NTLM authentication hashes just by tricking users into clicking—or sometimes not even clicking—a specially crafted file. The kicker? Attackers started hammering this vulnerability in the wild just eight days after Microsoft dropped the patches. That’s lightning fast, folks.  

The core problem? Windows Explorer gets fooled by malicious .library-ms files, making it cough up user credentials with barely any user interaction needed. It’s so bad, CISA slapped it onto their Known Exploited Vulnerabilities (KEV) list almost immediately, signaling DEFCON 1 for patching. This isn’t your typical “don’t run strange.exe files” warning; even routine file browsing can now be a trapdoor. The speed of exploitation tells us attackers were ready, maybe even waiting. Time to understand this threat and lock things down.  

Understanding the Threat: Scope & Prevalence

🧠 What’s the Deal? (The Core Vulnerability: CVE-2025-24054)

So, what exactly is CVE-2025-24054? Officially, it’s an NTLM Hash Disclosure Spoofing vulnerability hitting Microsoft Windows. Think of it as a specific flavor of CWE-73: External Control of File Name or Path, where bad guys mess with file paths to make your system do things it shouldn’t. It targets the old-school New Technology LAN Manager (NTLM) authentication protocol – yeah, the one Microsoft officially deprecated back in 2023 but is still kicking around in way too many networks.  

Here’s the attack playbook, simplified:

• The Bait: Attacker crafts a special file ending in .library-ms. These are normally innocent Windows Library files (XML-based) that Explorer uses to manage folder collections. But the attacker slips a path pointing to their own external SMB server inside this file.  

• The Trigger (It’s Tiny!): This is where it gets sneaky. You don’t need to run the file. Just interacting with it minimally in Windows Explorer is enough. We’re talking:
  • Single-clicking to select it.
  • Right-clicking it (for properties, options, etc.).
  • Dragging and dropping it.
  • Even just navigating into the folder where the file sits (like your Downloads folder, or after unzipping an archive).  

• The Leak: Explorer sees the .library-ms file, tries to process the path inside, and boom – it automatically tries to connect to the attacker’s SMB server.  

• Hash Grabbed: During that SMB handshake attempt, your system helpfully sends the user’s NTLMv2-SSP hash (Net-NTLMv2 hash) straight to the attacker. No big warnings, no obvious signs of trouble. Hash = gone.  

Translation: Attackers can spoof a network request, tricking your PC into initiating an authentication handshake with their malicious server, all triggered by seemingly harmless file interactions. Windows Explorer, just trying to do its job processing file info, becomes an unwitting accomplice in credential theft.  

Adding insult to injury, CVE-2025-24054 is basically a sequel to another recent flaw, CVE-2024-43451. That one used malicious .url files to do the same NTLM hash-leaking trick. The fact that this new variant popped up so quickly means attackers are actively probing how Windows handles different file types and network paths. Expect more of these unless the core file handling logic gets a serious overhaul.  

How Bad Is the Spread? (Affected Systems & NTLM’s Ghost)

This isn’t some niche problem. CVE-2025-24054 affects a huge range of Microsoft Windows versions. Reports initially said “all the latest versions” were vulnerable. The official list confirms it hits tons of client and server editions, across x64, x86, and even ARM64 architectures.  

Table 1: Just Some of the Windows Versions Needing the March 2025 Update

(Disclaimer: This isn’t the full list! Check Microsoft’s official advisory for everything.)  

What makes this vulnerability sting even more is that NTLM is still everywhere. Microsoft wants everyone on the more secure Kerberos , but legacy apps and old configurations mean NTLM often sticks around like a bad habit. So, even if your Windows OS is otherwise up-to-date (minus this patch), if NTLM is enabled, you’re vulnerable. This bug exploits that lingering legacy weakness.  

The fact that it hits ancient (but still supported via ESU) systems like Server 2008 R2 and 2012/R2 tells you the flaw is likely buried deep in a core Windows Explorer or shell component shared across generations. It’s a Windows-only party, though – Linux folks using Red Hat, for example, are safe from this one.  

Assessing the Danger: Risk Profile & Exploitability

Attack Scenarios: How They Get You

So how does this actually play out? Mostly through classic social engineering, usually via phishing emails (malspam). Attackers cook up emails trying to trick users into interacting with the payload. Here are the common plays:  

• The Zipped Trap: Email arrives with a ZIP file attached. Inside? The malicious .library-ms file. The trap springs when the user extracts the archive – Explorer processes the file during extraction or when the user browses the folder afterward.  

• The Dodgy Link: Email contains a link, maybe looking legit (like Dropbox), pointing to the malicious payload (either the ZIP or the raw .library-ms file). Click, download, and the attack chain starts.  

• Direct Hit: Later attack waves got smarter, ditching the ZIP and sending the .library-ms file directly. Just downloading it and having it land in your Downloads folder can be enough. A single click to select it later? Game over.  

The real danger? Minimal user interaction. Forget tricking users into running malware. CVE-2025-24054 triggers with stuff people do all the time without thinking twice: single-clicking, right-clicking, dragging, or just opening a folder. It weaponizes routine workflows, sidestepping security training focused only on “don’t run unknown programs.” Users aren’t running anything in the usual sense.  

This is a remote attack (CVSS Attack Vector: Network – AV:N) because the delivery is usually over the network, and the hash leaks out over the network to the attacker’s server. User interaction is needed (CVSS User Interaction: Required – UI:R), but it’s passive and easily baited with phishing. No need for physical access or insiders here, though those could be alternative ways to plant the file.  

The attackers shifting from ZIPs to direct .library-ms files? That shows they’re adapting. Maybe trying to dodge security scanners, maybe just making it easier for the victim to trigger the leak faster. It’s a reminder that these guys evolve their tactics.  

Exploitability Deep Dive: What Can They Do With That Hash?

Okay, so they snagged the user’s NTLMv2-SSP (Net-NTLMv2) hash. What’s the big deal? That hash isn’t the password itself, but it’s gold for attackers. Here’s what they do next:  

• Offline Cracking: They take the hash offline and throw serious computing power (think GPUs) at it, using password lists, rainbow tables, or brute force to crack it and get the actual plaintext password. Success depends on password complexity – weak ones crack fast.  

• NTLM Relay Attacks (Often Worse): Forget cracking; attackers can often just “relay” the stolen hash or authentication attempt to other servers on your network that still accept NTLM (like file shares, or web apps using Windows auth). If it works, they log in as the victim without ever needing the password. Ouch.  

The fallout from getting these credentials (cracked password or successful relay) is serious and often just the first step in a bigger breach:

• Moving Sideways (Lateral Movement): With the victim’s creds, attackers hopscotch across the network, hitting other machines, servers, and shares the user could access.  

• Climbing the Ladder (Privilege Escalation): If the compromised user is an admin or has high privileges, the attacker hits the jackpot, gaining major control. Even low-privilege access can be a foothold to find other ways to escalate.  

• Sticking Around (Persistence): Real credentials are a reliable backdoor for attackers to maintain access over time.
• Stealing Stuff & Wrecking Things: Access leads to data theft, deploying more malware (hello, ransomware!), and general mayhem.

And yes, attackers are chaining CVE-2025-24054 with other bugs. Campaigns were seen bundling the malicious .library-ms file with .url files hitting CVE-2024-43451 (the similar NTLM leak bug) and maybe others, all packed into one malicious archive. It’s a “spray and pray” approach to maximize their chances of getting credentials from systems that might have patched one flaw but not another.  

The fact that active exploitation started March 19, 2025, proves this isn’t just theory. Weaponized exploits are out there, being used right now. Check Point even showed network captures of the exploit in action. This is a live fire exercise, folks. CVE-2025-24054 is a practical tool for initial access and credential theft, paving the way for much worse.  

Defensive Posture: Mitigation & Detection

Patch It Like You Mean It (Official Fixes)

The number one, absolute best defense? Apply the Microsoft security updates from March 11, 2025. These patches fix the way Explorer handles .library-ms files, stopping the rogue SMB connection and hash leak cold.  

Updates are out for that huge list of affected Windows versions, including the old ESU ones (check Table 1 and Microsoft’s official site). Given that attackers were exploiting this just days after the patch dropped, patching is URGENT. CISA agrees, setting a May 8, 2025 deadline for US federal agencies via the KEV catalog – a strong hint for everyone else to get moving.  

Hit up the official Microsoft Security Response Center (MSRC) advisory for CVE-2025-24054 for the final word on affected products and update links.  

Side note: Microsoft initially rated this “Exploitation Less Likely.” Reality check: attackers didn’t care. Lesson learned? Don’t rely solely on vendor predictions. If a bug leaks creds or allows remote access, weigh the potential impact and real-world activity heavily, especially when patching priorities are tight. The speed here shows motivated attackers move fast.  

Beyond Patching: Harden Your Defenses (Configuration & NTLM Smackdown)

Patching is critical, but don’t stop there. Layer your defenses by hardening configurations, especially around that troublesome NTLM protocol:

• Kill NTLM (The Real Fix): Seriously, the best long-term move is to get rid of NTLM entirely. Migrate everything to Kerberos. This takes planning – audit where NTLM is still used (check Windows Event Logs!), test thoroughly, and then disable it via Group Policy.  

   

• Can’t Kill It? Restrict It HARD: If ripping out NTLM isn’t possible yet, lock it down tight with GPOs:

  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Set to “Deny all”.
  • Network security: Restrict NTLM: NTLM authentication in this domain -> Set to “Deny all domain accounts” (or stricter).
  • Network security: Restrict NTLM: Audit NTLM authentication... -> Enable auditing to find where it’s still lurking.

• Require SMB Signing: Force clients and servers to use SMB signing (RequireSecuritySignature = 1). This stops NTLM relay attacks dead by cryptographically signing packets. If the signature doesn’t match, the relayed authentication fails.  

   

• Enable Extended Protection for Authentication (EPA): Turn on EPA for services like IIS and Exchange. It ties authentication to the secure channel (TLS), adding another layer against relay attacks.

• Block Outbound SMB (Critical Backstop): This is huge. Configure your perimeter firewall to BLOCK outbound SMB traffic (TCP port 445 and UDP port 445) for all standard user workstations (and servers that don’t need it). Why? CVE-2025-24054 leaks the hash to an external attacker server via SMB. Block that path, and you neutralize this specific attack vector, even on unpatched machines. This buys you breathing room for patching.  

   

• Basic Hygiene Still Matters: While not direct fixes post-patch, remember the basics for CWE-73 (Path Traversal). Good input validation in apps, maybe sandboxing where practical, helps build overall resilience.  

   

• User Training Refresh: Yes, the trigger is subtle, but remind users: be suspicious of any unexpected files from outside, even seemingly harmless ones like .library-ms. Explain that simple clicks, not just running programs, can sometimes kick off bad network connections.

Doing this stuff – especially ditching NTLM and blocking outbound SMB – doesn’t just stop CVE-2025-24054. It hardens you against a whole class of credential theft attacks that prey on NTLM’s weaknesses.  

Spotting the Attackers: Detection Tips (Logs, Signatures)

How do you know if someone’s trying this on your network? You need eyes on network traffic, endpoints, and logs:

• Network Watch (IDS/IPS/Firewall): The biggest red flag is outbound SMB traffic (TCP 445) from workstations trying to hit external IPs, especially weird ones not tied to your legit cloud services. Your IDS/IPS might have specific signatures for CVE-2025-24054 or generic NTLM relay tools. Firewall logs are gold for spotting (and hopefully blocking) these outbound attempts.
• Endpoint Detection & Response (EDR): Your EDR tools can be invaluable. Look for:
  • Weird process behavior: Explorer.exe suddenly making outbound connections on TCP 445.
  • File trails: Creation/modification of .library-ms files, especially in Downloads or temp folders, linked to browser or email activity. Connect these file events to network activity.
• Windows Event Logs (Dig Deep): Turn on the right logging (can be noisy, so filter wisely):
  • Security Log: Event ID 4624 (Successful logon) on servers attackers might relay to. Look for weird Logon Type 3 (Network) events from unexpected places right after a suspected hash leak.
  • SMB Client Logs: Enable Microsoft-Windows-SMBClient/Security logs (Events 30828, 30827) to track outbound SMB attempts. Verbose, but useful.
  • NTLM Auditing Logs: Turn on NTLM auditing via GPO (Restrict NTLM: Audit...). Check the Microsoft-Windows-NTLM/Operational log (Event ID 8004 = outgoing NTLM attempt) to see who’s still using it and spot weird destinations.
• Threat Intel Feeds: Use threat intel to get known bad IPs hosting SMB servers, phishing domains, and file hashes associated with CVE-2025-24054 campaigns.

Connect the Dots: Detection often means correlating clues. An outbound SMB alert is way more interesting if it follows a .library-ms file download on the same machine. Since the exploit uses legit tools (Explorer.exe, SMB) , context is everything to separate bad from benign.  

Urgency and Real-World Impact

It’s Happening NOW: Exploitation “In the Wild”

Let’s be crystal clear: CVE-2025-24054 is being actively exploited in the wild. This isn’t theoretical FUD. Multiple security firms and CISA confirm it. The speed and scale show attackers love this thing:  

• Insanely Fast Weaponization: Exploits hit the streets around March 19, 2025, just 8 days after Patch Tuesday. Attackers were ready.  

• Multiple Attack Waves: Check Point saw at least 10 different campaigns using this flaw within weeks, all grabbing NTLM hashes. It’s popular.  

• Targeted Hits: One notable campaign around March 20-21 specifically went after government and private orgs in Poland and Romania. That smells like state-sponsored or espionage activity, not just random crime.  

• Delivery Tactics: Mostly phishing emails with links (Dropbox) or attachments. Payloads often bundled multiple exploits (CVE-2025-24054 + CVE-2024-43451) to hit more targets. Later, they started sending the .library-ms file raw.  

• Who’s Behind It? Direct attribution is tricky, but CERT-UA previously linked the similar CVE-2024-43451 (often bundled with this one) to UAC-0194, a group suspected of Russian ties. This hints at serious players being interested.  

Bottom line: Confirmed exploitation, rapid attacker adoption, targeted attacks, bundled exploits – this is a high-priority threat demanding immediate action.

The Nitty-Gritty: CVE Details & Scores

Here are the vitals for CVE-2025-24054:

• The ID: CVE-2025-24054. (Careful: Microsoft first used CVE-2025-24071, then corrected it ).  

• The Gist: “NTLM Hash Disclosure Spoofing Vulnerability” or “External control of file name or path… allows spoofing over a network”.  

• The Score (CVSS):
  • Microsoft Says: 6.5 Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). Note the High Confidentiality (C:H) – Microsoft knows leaking these hashes is bad news, leading to password cracks or relay attacks.  

  • NVD Initially Said: 5.4 Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). NVD initially lowballed the impact. For real-world risk, trust Microsoft’s C:H rating – it better reflects the potential damage.  

• Microsoft Severity: “Important”. Not “Critical,” but active exploitation makes it feel pretty critical.  

• CISA KEV Catalog: Added April 17, 2025. US Feds had until May 8, 2025 to fix it. KEV listing = Proof of active exploitation. Ignore it at your peril.  

• Who Found It? Credit to Rintaro Koike (NTT Security Holdings), 0x6rss, and j00sean.  

A Medium score (especially Microsoft’s 6.5 C:H), “Important” rating, and confirmed KEV status all scream one thing: Fix this now.

Key Takeaways & Your To-Do List

Alright, let’s cut to the chase. CVE-2025-24054 is a live threat using minimal interaction to steal NTLM creds. Here’s your action plan:

• Patch NOW. Seriously. This isn’t a drill. Attackers are using this today. Deploy the March 2025 Microsoft updates ASAP. CISA’s KEV listing means this jumps the priority queue.  

• Minimal Click = Max Danger: Hammer this home: Exploitation needs barely a click, sometimes just opening a folder. Update user awareness – simple file interactions can be risky now.  

• NTLM is Toxic Waste: This bug exploits NTLM’s weakness. Your best bet? Kill NTLM. Push hard to disable it, enforce Kerberos, require SMB signing, use EPA. Make NTLM restriction a top project.  

• Build the Wall: Block Outbound SMB: This is your safety net. Block TCP/UDP 445 outbound at your firewall for workstations. It stops this specific exploit from phoning home, even if a machine isn’t patched yet.
• Beware .library-ms Files: Treat .library-ms files from outside like radioactive material. Block the extension at email/web gateways if you can live without breaking anything important.  

• Turn on the Floodlights: Monitor your network for weird outbound SMB traffic from workstations. Correlate with endpoint logs showing .library-ms file creation. Use your EDR/SIEM!  

• Expect More Tricks: Attackers mix exploits (CVE-2024-43451 + CVE-2025-24054) and change tactics (zip vs. no zip). Defense-in-depth is key.  

• Stay Plugged In: Keep watching Microsoft advisories , CISA alerts, and good threat intel for new IoCs, tactics, or related bugs.  

Fighting threats like CVE-2025-24054 needs layers: Patch fast. Harden protocols (kill NTLM!). Control network traffic (block outbound SMB!). Monitor vigilantly. The speed this was weaponized shows we need to be just as agile defending our networks.

Told you it was deep.