SoloSecurities: Cybersecurity Consulting & Training
FacebookXRedditPinterestEmail
Blog

NTLM Credential Theft: CVE-2025-24054 Under Active Exploitation

2 months ago
Add comment
6 min read

Introduction

In the evolving world of cybersecurity, legacy protocols continue to haunt modern systems despite being deprecated or replaced. One such protocol—NTLM (New Technology LAN Manager)—remains a persistent security liability. On March 19, 2025, a serious vulnerability (CVE-2025-24054) affecting NTLM authentication came under active exploitation, placing both private and government institutions at risk of credential theft, lateral movement, and privilege escalation.

This blog post explores the vulnerability CVE-2025-24054 in depth, including its technical details, how it is being exploited in real-world attacks, the potential impact on organizations, and essential mitigation measures. If you’re in cybersecurity, IT, or systems administration, this is a must-read to keep your systems secure and resilient.

What is CVE-2025-24054?

CVE-2025-24054 is a Windows NTLM hash disclosure vulnerability rated CVSS 6.5 (medium severity) that enables unauthorized attackers to perform spoofing attacks over a network. The vulnerability resides in the .library-ms file handler, a Windows component that manages virtual libraries. Exploiting this flaw allows a remote attacker to trigger NTLM hash leaks from a victim’s machine with minimal interaction—in some cases, just a single click.

⚠️ Key Risk

Attackers can steal NTLM hashes remotely by tricking users into downloading or interacting with malicious .library-ms files. Once obtained, these hashes can be replayed in pass-the-hash or relay attacks, granting unauthorized access to internal systems and lateral movement within networks.

Technical Breakdown: How the Exploit Works

🧠 Vulnerability Type

External Control of File Name or Path (CWE-73) within the .library-ms handler.

🪟 Affected Systems

All supported Windows versions prior to Microsoft’s March 2025 Patch Tuesday updates are susceptible to this flaw. Windows Explorer automatically tries to resolve UNC (Universal Naming Convention) paths, which can be weaponized.

📁 Trigger Mechanism

  1. Malicious .library-ms file is crafted with an embedded path pointing to a remote SMB server controlled by the attacker.
  2. Victim downloads or extracts the file. No need to open it.
  3. Windows Explorer previews or inspects the file.
  4. The OS initiates an SMB authentication request to the attacker’s server.
  5. NTLMv2 hashes are leaked silently.

🔁 No Execution Required

The exploit doesn’t require the file to be executed—just interaction like a right-click or a hover preview in File Explorer is sufficient.

Why NTLM is Still a Problem

Although Microsoft deprecated NTLM in favor of Kerberos, NTLM remains widely supported across enterprise environments for legacy compatibility. It is notoriously weak against:

  • Relay attacks
  • Pass-the-hash attacks
  • Credential forwarding
  • Hash cracking using rainbow tables

Many organizations continue to use NTLM unintentionally, especially in mixed environments or when dealing with older software and services.

Timeline of Exploitation

  • March 12, 2025 – Microsoft patches CVE-2025-24054.
  • March 19–21, 2025 – Exploitation begins in the wild.
  • March 25, 2025 – Check Point observes multiple phishing campaigns using Info.doc.library-ms files.
  • April 2025 – CISA adds CVE-2025-24054 to its Known Exploited Vulnerabilities (KEV) catalog.
  • May 8, 2025 – Deadline for U.S. FCEB agencies to apply patches.

Real-World Attacks: What’s Happening Now

📌 Targeted Campaigns in Europe

Check Point discovered coordinated phishing campaigns targeting government and private sectors in Poland and Romania. Attackers distributed Dropbox links with ZIP archives containing the malicious .library-ms files.

💥 Multiple Known Vulnerabilities Exploited

Besides CVE-2025-24054, these campaigns also leveraged:

  • CVE-2024-43451: A similar NTLM spoofing flaw.
  • CVE-2025-24201: WebKit sandbox escape.
  • CVE-2025-24085: Core Media privilege escalation.

🎯 Tactics Used

  • Social engineering to lure users into downloading archive files.
  • Bypassing antivirus tools using legitimate cloud hosting platforms.
  • Harvesting NTLM hashes for internal lateral movement.

Impact of the Vulnerability

Even though Microsoft marked the vulnerability as “Exploitation Less Likely,” attackers proved otherwise. Within a week of patch release, real-world exploits were already in use.

🔓 Consequences of Exploitation

  • NTLM hash theft → Replay attacks.
  • User impersonation → Privilege escalation.
  • Compromised internal services.
  • Potential domain-wide access in extreme cases.

👨‍💼 Who Is at Risk?

  • Organizations using legacy NTLM-based services.
  • Enterprises with SMB exposure to the internet.
  • Users who frequently interact with email attachments or shared files.
  • Admins relying on Explorer previews.

Mitigation and Defensive Measures

1. Apply the Patch

Microsoft fixed CVE-2025-24054 in the March 2025 Patch Tuesday updates. All organizations should ensure their Windows devices are updated immediately.

  • Patch IDs vary by version. Refer to Microsoft Security Updates [MSRC].

🚫 2. Block .library-ms Files

Use Group Policy or security solutions to block or quarantine .library-ms files in email and web traffic.

powershellCopyEditSet-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoLibraryFiles" -Value 1

🔐 3. Disable NTLM Authentication

Where feasible, disable NTLM across the domain and enforce Kerberos:

powershellCopyEditSet-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5

Note: This should be tested in a lab before full deployment.

🔍 4. Monitor SMB Traffic

Deploy IDS/IPS and firewall rules to monitor and restrict outbound SMB connections, especially to untrusted or external IPs.

📧 5. Email Filtering

Use secure email gateways to block known file types:

  • .library-ms
  • .lnk
  • .scf
  • .url

Detection and Threat Hunting

If you suspect this vulnerability was exploited within your environment, look for the following:

🔎 Indicators of Compromise (IOCs)

  • SMB connections to unusual IP addresses or hostnames.
  • Outbound connections immediately after file downloads.
  • Unusual presence of .library-ms files in Downloads folder.
  • NTLM authentication logs (Event ID 4624) from unexpected sources.

🛠️ Tools to Use

  • Sysmon: For process and file tracking.
  • Wireshark: To inspect SMB handshakes and hash leakage.
  • Splunk / ELK: For log correlation.

How to Educate Your Users

User education is crucial, as social engineering plays a central role in these attacks. Consider the following training points:

  • Avoid clicking on unknown email attachments or download links.
  • Don’t interact with .library-ms files—even right-clicking can trigger an attack.
  • Report unexpected file types or strange-looking archives to IT.

Create visual phishing awareness campaigns and encourage a zero-trust culture when it comes to file downloads.

Conclusion: Legacy Tech, Modern Threats

CVE-2025-24054 is a vivid reminder that legacy protocols like NTLM continue to be fertile ground for attackers. Despite being deprecated, NTLM’s presence in modern environments leaves the door open to devastating credential theft and subsequent attacks.

Organizations must move swiftly to:

  • Apply security patches
  • Disable unnecessary legacy protocols
  • Educate their users
  • Monitor for suspicious behavior

Attackers are becoming more creative, and vulnerabilities once thought low-risk are now being actively exploited in sophisticated campaigns. Staying ahead means adopting a proactive cybersecurity posture, not just a reactive one.

SoloSecurities

View all posts

Add comment

You may also like

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular

Most discussed