FlagThis - #ntlm

Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.

Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.

The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.


References :

• Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
• The DefendOps Diaries: Understanding the CVE-2025-24054 Vulnerability: A Critical Threat to Windows Systems
• BleepingComputer: Windows NTLM hash leak flaw exploited in phishing attacks on governments
• bsky.app: Windows NTLM hash leak flaw exploited in phishing attacks on governments
• research.checkpoint.com: CVE-2025-24054, NTLM Exploit in the Wild
• Talkback Resources: Research team analysis of CVE-2025-24054
• Help Net Security: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
• www.helpnetsecurity.com: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
• bsky.app: BSky Post on CVE-2025-24054, NTLM Exploit in the Wild
• Cyber Security News: CyberSecurityNews - Hackers Exploiting Windows NTLM Spoofing Vulnerability in Wild to Compromise Systems
• The Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
• MSSP feed for Latest: Windows NTLM Hash Flaw Targeted in Global Phishing Attacks
• gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.
• infosecwriteups.com: Your NTLM Hashes at Risk: Inside CVE‑2025‑24054
• BetaNews: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
• www.scworld.com: Cybersecurity News reports on alarms sounding over attacks via Microsoft NTLM vulnerability, impacting Poland and Romania.
• securityaffairs.com: U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
• gbhackers.com: CISA Warns of Active Exploitation of Windows NTLM Vulnerability
• Techzine Global: Windows vulnerability with NTLM hash abuse exploited for phishing
• betanews.com: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
• ciso2ciso.com: Fresh Windows NTLM Vulnerability Exploited in Attacks – Source: www.securityweek.com
• malware.news: Phishing campaigns abuse Windows NTLM hash leak bug
• Know Your Adversary: 110. Adversaries Use Maliciously Crafted .library-ms Files

Classification:

• HashTags: #NTLMHash #CVE-2025-24054 #PhishingAttacks
• Company: Microsoft
• Target: Government and Private Entities
• Attacker: Microsoft
• Product: Windows
• Feature: NTLM Hash Disclosure
• Malware: NTLM
• Type: Vulnerability
• Severity: Major

A new vulnerability, CVE-2025-24071, has been identified in Windows File Explorer, potentially exposing users to network spoofing attacks. The vulnerability is triggered by specially crafted .library-ms files embedded within compressed archives like RAR or ZIP. When these files are decompressed, they can trigger an SMB authentication request, leading to the disclosure of the user’s NTLM hash. The vulnerability has a CVSS score of 7.5, indicating a significant risk.

Microsoft has released a security announcement and a patch to address the issue across a range of Windows versions including Windows 10, Windows 11 and Windows Server versions from 2012 R2 to 2022. Users are urged to install the patch as soon as possible to mitigate the risk of exploitation. The vulnerability stems from the implicit trust and automatic file parsing behavior of .library-ms files by Windows Explorer, making it crucial for users to update their systems promptly.


References :

• nsfocusglobal.com: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
• www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

Classification:

• HashTags: #Windows #FileExplorer #NTLM
• Company: Microsoft
• Target: Windows Users
• Product: Windows
• Feature: NTLM Hash Capture
• Type: Vulnerability
• Severity: Medium