CyberSecurity news
FlagThis
Zeljka Zorz@Help Net Security
//
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.
The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.
ImgSrc: img.helpnetsecu
References :
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.
The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.
ImgSrc: img.helpnetsecu
Share:
References :
- Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
- The DefendOps Diaries: Understanding the CVE-2025-24054 Vulnerability: A Critical Threat to Windows Systems
- BleepingComputer: Windows NTLM hash leak flaw exploited in phishing attacks on governments
- bsky.app: Windows NTLM hash leak flaw exploited in phishing attacks on governments
- research.checkpoint.com: CVE-2025-24054, NTLM Exploit in the Wild
- Talkback Resources: Research team analysis of CVE-2025-24054
- Help Net Security: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
- www.helpnetsecurity.com: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
- bsky.app: BSky Post on CVE-2025-24054, NTLM Exploit in the Wild
- Cyber Security News: CyberSecurityNews - Hackers Exploiting Windows NTLM Spoofing Vulnerability in Wild to Compromise Systems
- The Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
- MSSP feed for Latest: Windows NTLM Hash Flaw Targeted in Global Phishing Attacks
- gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.
- infosecwriteups.com: Your NTLM Hashes at Risk: Inside CVE‑2025‑24054
- BetaNews: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
- www.scworld.com: Cybersecurity News reports on alarms sounding over attacks via Microsoft NTLM vulnerability, impacting Poland and Romania.
- securityaffairs.com: U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
- gbhackers.com: CISA Warns of Active Exploitation of Windows NTLM Vulnerability
- Techzine Global: Windows vulnerability with NTLM hash abuse exploited for phishing
- betanews.com: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
- ciso2ciso.com: Fresh Windows NTLM Vulnerability Exploited in Attacks – Source: www.securityweek.com
- malware.news: Phishing campaigns abuse Windows NTLM hash leak bug
Classification:
- HashTags: #NTLMHash #CVE-2025-24054 #PhishingAttacks
- Company: Microsoft
- Target: Government and Private Entities
- Attacker: Microsoft
- Product: Windows
- Feature: NTLM Hash Disclosure
- Malware: NTLM
- Type: Vulnerability
- Severity: Major