The Windows NTLM hash disclosure vulnerability, known as CVE-2025-24054, which Microsoft recently patched, has been exploited by threat actors targeting government and private entities in Poland and Romania. Since March 19, 2025, active exploitation of this vulnerability has been observed, allowing attackers to access NTLM hashes or user passwords and compromise systems, according to researchers at Check Point.
CVE-2025-24054 enables attackers to capture the NTLMv2 response sent by victims’ machines to an attacker-operated SMB server during an authentication request. Attackers can then use this captured hash for brute-force attacks offline or for relay attacks, which involve passing the hash to another service to authenticate as the user. This type of attack is particularly dangerous when the stolen credentials belong to a privileged user, as it can lead to privilege escalation and lateral movement within the network.
Initially considered by Microsoft to be less likely to be exploited, CVE-2025-24054 was privately disclosed by three researchers to the company. Microsoft initially assigned it CVE-2025-24071 before later creating a new identifier, CVE-2025-24054. Both vulnerabilities were patched on March 11, 2025, and both allow unauthorized attackers to perform spoofing over a network. However, CVE-2025-24071 requires the target to open a folder with a specially crafted file, while CVE-2025-24054 only requires interaction with the malicious file, not necessarily opening and executing it.
The first attacks exploiting CVE-2025-24054 were detected on March 19, targeting government and private institutions in Poland and Romania from March 20 to March 21. These attacks used email phishing links that led victims to download an archive file containing files designed to leak NTLMv2-SSp hashes. Some of these files triggered CVE-2025-24054, while another exploited CVE-2024-43451, a vulnerability previously used in 2024 to target Ukrainian entities.
Check Point researchers identified approximately 10 additional campaigns targeting victims to retrieve NTLMv2-SSp hashes by March 25, including one targeting companies worldwide. Phishing emails were used to trick targets into downloading an attachment containing the exploit file, leading to the leakage of NTLMv2-SSp hashes.
Although vulnerabilities like CVE-2025-24054 may not be as high-risk as those leading to remote code execution, attackers are quick to exploit NTLM vulnerabilities, emphasizing the importance of prioritizing patches. Microsoft has released patches for CVE-2025-24054 for all supported Windows versions; however, older, unsupported versions can still be protected through micropatching.
Overall, the exploitation of CVE-2025-24054 highlights the ongoing threat posed by NTLM vulnerabilities and the necessity of promptly applying patches to mitigate such risks. Cybersecurity measures such as transitioning from NTLM to Kerberos authentication are also crucial to enhance overall network security and protect against potential attacks exploiting these vulnerabilities.