The Cybersecurity and Infrastructure Security Agency (CISA) recently included a medium-severity Windows vulnerability, known as CVE-2025-24054, in its Known Exploited Vulnerabilities catalog. This vulnerability, classified as a NTLM hash disclosure spoofing bug, was addressed by Microsoft in its most recent Patch Tuesday updates. Despite being an outdated authentication protocol replaced by Kerberos, threat actors continue to exploit NTLM for pass-the-hash and relay attacks. This particular vulnerability enables unauthorized attackers to execute spoofing activities on a network, resulting in the leakage of NTLM hashes and user passwords.
With a CVSS score of 6.5 and categorized as “Exploitation Less Likely” by Microsoft, this flaw still saw immediate exploitation following its identification. Various campaigns targeted organizations in Poland and Romania, with cybersecurity firm Check Point tracing the attacks back to malicious emails containing links to Dropbox archives. Through the use of CVE-2025-24054, these archives were able to extract NTLMv2-SSP hashes, enabling attackers to breach systems without the need for user interaction.
Moreover, researchers uncovered a new campaign distributing a file named “Info.doc.library-ms,” a tactic that circumvents the necessity for user interaction, facilitating the leakage of NTLM hashes. More than 10 campaigns exploiting this vulnerability have been identified, with threat actors emphasizing lateral movement and privilege escalation within compromised networks. These incidents shed light on how easily malicious actors can leverage this flaw to obtain critical network credentials.
In response to these threats, CISA has strongly advised organizations, particularly federal agencies, to promptly apply the necessary patches to mitigate the risks associated with this vulnerability. Federal Civilian Executive Branch agencies have been directed to secure their networks by May 8, 2025, in order to thwart any further exploitation attempts. The low level of user engagement required for this exploit underscores the severity of the threat, emphasizing the critical need to address NTLM vulnerabilities within affected environments.
In conclusion, the ongoing exploitation of CVE-2025-24054 highlights the importance of proactive cybersecurity measures to safeguard against potential breaches. Organizations must remain vigilant and ensure that all necessary patches are promptly applied to prevent unauthorized access to sensitive information. By addressing these vulnerabilities promptly, businesses and government entities can significantly reduce the risk of falling victim to malicious cyber incidents.