The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Home windows to its Identified Exploited Vulnerabilities (KEV) catalog, following stories of energetic exploitation within the wild.
The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS rating: 6.5), is a Home windows New Know-how LAN Supervisor (NTLM) hash disclosure spoofing bug that was patched by Microsoft final month as a part of its Patch Tuesday updates.
NTLM is a legacy authentication protocol that Microsoft formally deprecated final 12 months in favor of Kerberos. In recent times, menace actors have discovered numerous strategies to take advantage of the know-how, resembling pass-the-hash and relay assaults, to extract NTLM hashes for follow-on assaults.
“Microsoft Home windows NTLM incorporates an exterior management of file identify or path vulnerability that permits an unauthorized attacker to carry out spoofing over a community,” CISA mentioned.
In a bulletin printed in March, Microsoft mentioned the vulnerability could possibly be triggered by minimal interplay with a specifically crafted .library-ms file, resembling “deciding on (single-click), inspecting (right-click), or performing an motion apart from opening or executing the file.”
The tech big additionally credited Rintaro Koike with NTT Safety Holdings, 0x6rss, and j00sean for locating and reporting the flaw.
Whereas Microsoft has given CVE-2025-24054 an exploitability evaluation of “Exploitation Much less Probably,” the security flaw has since come beneath energetic exploitation since March 19, per Test Level, thereby permitting dangerous actors to leak NTLM hashes or consumer passwords and infiltrate programs.
“Round March 20–21, 2025, a marketing campaign focused authorities and personal establishments in Poland and Romania,” the cybersecurity firm mentioned. “Attackers used malspam to distribute a Dropbox hyperlink containing an archive that exploited a number of recognized vulnerabilities, together with CVE-2025-24054, to reap NTLMv2-SSP hashes.”
The flaw is assessed to be a variant of CVE-2024-43451 (CVSS rating: 6.5), which was patched by Microsoft in November 2024 and has additionally been weaponized within the wild in assaults focusing on Ukraine and Colombia by menace actors like UAC-0194 and Blind Eagle.
In line with Test Level, the file is distributed via ZIP archives, inflicting Home windows Explorer to provoke an SMB authentication request to a distant server and leak the consumer’s NTLM hash with none consumer interplay merely upon downloading and extracting the archive’s contents.
That mentioned, one other phishing marketing campaign noticed as not too long ago as March 25, 2025, has been discovered delivering a file named “Information.doc.library-ms” with none compression. Because the first wave of assaults, at least 10 campaigns have been noticed with the tip purpose of retrieving NTLM hashes from the focused victims.
“These assaults leveraged malicious .library-ms recordsdata to gather NTLMv2 hashes and escalate the chance of lateral motion and privilege escalation inside compromised networks,” Test Level mentioned.
“This speedy exploitation highlights the important want for organizations to use patches instantly and make sure that NTLM vulnerabilities are addressed of their environments. The minimal consumer interplay required for the exploit to set off and the benefit with which attackers can achieve entry to NTLM hashes make it a major menace, particularly when such hashes can be utilized in pass-the-hash assaults.”
Federal Civilian Govt Department (FCEB) businesses are required to use the mandatory fixes for the shortcoming by Could 8, 2025, to safe their networks in gentle of energetic exploitation.
