A vulnerability that allows attackers to leak NTLM authentication hashes with minimal user interaction has been actively exploited shortly after Microsoft released a patch. The flaw, known as CVE-2025-24054, impacts Windows systems and can be triggered using a specially crafted .library-ms file. Once a user interacts with the file – even by just navigating to its folder – Windows initiates an SMB authentication request, ultimately leaking the NTLMv2-SSP hash to a server controlled by the attacker.
Despite Microsoft issuing a fix for the issue on March 11, threat actors wasted no time in exploiting it in the wild by March 19. Within a few days, researchers discovered a coordinated campaign targeting institutions in Poland and Romania. The attackers employed malicious .library-ms files delivered through Dropbox links embedded in phishing emails. Once these files were downloaded and extracted, the NTLM hash leakage occurred without any user action required.
Check Point Research noted that Microsoft’s patch documentation indicated the vulnerability could be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit seems to be a variant of a previously patched vulnerability, CVE-2024-43451, as they share several similarities.
The initial campaign exploiting this vulnerability occurred around March 20-21, using an archive named xd.zip. This archive contained four malicious files aimed at harvesting NTLMv2 hashes: xd.library-ms, xd.url, xd.website, and xd.lnk. The SMB servers receiving the stolen credentials were located in various countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey. One server linked to the campaign had previously been associated with APT28 (Fancy Bear) by cybersecurity firm HarfangLab, without direct attribution confirmed for this specific campaign.
Subsequent investigations by Check Point Research uncovered approximately 10 additional campaigns, with one particularly concerning wave identified by March 25. This campaign stood out by distributing unarchived .library-ms files, triggering NTLM hash leaks through minimal user interaction – sometimes just by navigating to the containing folder. This heightened threat is especially problematic for systems lacking SMB signing or NTLM relay protections.
Recognizing the severity of the flaw, Microsoft promptly released a security patch on March 11, initially known as CVE-2025-24071 before being corrected to CVE-2025-24054. The widespread exploitation of this vulnerability highlights the importance of promptly applying security updates to mitigate risks posed by emerging threats. Organizations are urged to stay vigilant and implement necessary precautions to safeguard their systems and data from malicious actors exploiting vulnerabilities for nefarious purposes.