Windows NTLM Vulnerability Under Active Exploitation

A Windows NTLM vulnerability, tracked as CVE-2025-24054 with a CVSS score of 6.5, was patched by Microsoft in March 2025 as part of its regular Patch Tuesday updates. This medium-severity flaw allows NTLM hash disclosure, enabling attackers to perform spoofing attacks over a network.

The vulnerability is in the Windows New Technology LAN Manager (NTLM), which is a legacy authentication protocol that Microsoft officially deprecated last year in favor of Kerberos. NTLM contains “an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network,” according to CISA.

 Severity of the Issue

Microsoft assigned this vulnerability a CVSS score of 6.5, categorizing it as medium-severity. While Microsoft initially gave CVE-2025-24054 an exploitability assessment of “Exploitation Less Likely,” the security flaw has since come under active exploitation since March 19, increasing its actual risk level. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now added this flaw to its Known Exploited Vulnerabilities (KEV) catalog.

 How It Is Exploited

According to Microsoft, the vulnerability can be triggered by minimal interaction with a specially crafted .library-ms file, such as “selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file.”

Check Point explains that “this vulnerability is triggered when a user extracts a ZIP archive containing a malicious .library-ms file. This event will trigger Windows Explorer to initiate an SMB authentication request to a remote server and, as a result, it leaks the user’s NTLM hash without any user interaction.”

However, another phishing campaign observed as recently as March 25, 2025, has been found delivering a file named “Info.doc.library-ms” without any compression, indicating that attackers are evolving their tactics.

(Windows NTLM Vulnerability – Source: The Hacker News)

 Who Is Behind the Issue

One of the campaign files has been linked to the Russian state-sponsored APT Fancy Bear, also known as APT28, Forest Blizzard, and Sofacy. Additionally, one of the files inside an attack archive is associated with CVE-2024-43451, a Windows NTLM hash disclosure bug previously exploited as a zero-day by Russian threat actors.

According to Check Point, “Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.”

 Who Is at Risk

Any organization still using NTLM authentication is at risk. In recent years, threat actors have found various methods to exploit this technology, such as pass-the-hash and relay attacks, to extract NTLM hashes for follow-on attacks. After exposing the NTLM hash, an attacker could perform brute-force attacks to extract the user’s password or mount relay attacks.

 Remediation Actions

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes for this vulnerability by May 8, 2025, but all organizations should prioritize patching this vulnerability immediately.

Organizations should:

1. Apply Microsoft’s March 2025 security updates immediately
2. Consider accelerating the migration from NTLM to Kerberos authentication
3. Implement network monitoring to detect suspicious SMB authentication requests
4. Train employees to be cautious when handling files from unknown sources, especially .library-ms files
5. Consider implementing application control policies to restrict execution of high-risk file types

How CinchOps Can Help Secure Your Business

At CinchOps, we understand that small and medium-sized businesses often lack the resources to keep up with the constantly evolving threat environment. Our experienced team can help protect your organization from vulnerabilities like CVE-2025-24054 through our comprehensive managed IT services:

Proactive Patch Management: We implement automated patch management systems that ensure critical security updates are applied promptly across your entire network. Our team tests patches before deployment to ensure they don’t disrupt your business operations.

Employee Security Training: CinchOps provides comprehensive security awareness training to help your staff recognize phishing attempts and suspicious files. We specifically address high-risk scenarios like handling attachments and downloaded files.

Incident Response Planning: Should a breach occur, our team has established incident response protocols to quickly contain, remediate, and recover from security incidents, minimizing potential damage to your business.

Risk Assessment and Compliance: We help businesses understand their compliance obligations and implement security controls that align with industry best practices and regulatory requirements.

With CinchOps as your managed IT partner, you can focus on running your business while we handle the complex task of securing your systems against threats like CVE-2025-24054. Our local presence means we can provide rapid response when needed, whether you’re in Houston, Katy, or surrounding areas.

Contact CinchOps today for a comprehensive security assessment and learn how our small business IT support services can protect your organization from emerging cyber threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Why Patch Management Matters: Keeping Your Systems Secure and Efficient
For Additional Information on this topic, check out: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download

FREE CYBERSECURITY ASSESSMENT