A medium-severity vulnerability in Windows NTLM, tracked as CVE-2025-24054, has been exploited by threat actors just a week after patches were released in March. The flaw, with a CVSS score of 6.5, was resolved on Patch Tuesday last month, but attackers have already begun using it to target government and private institutions in Poland and Romania, as reported by cybersecurity firm Check Point.
The vulnerability allows for NTLM hash disclosure, which could be leveraged by attackers to carry out spoofing attacks over a network. According to Microsoft’s advisory, the bug can be triggered with minimal user interaction, such as selecting or right-clicking on a malicious file. By exploiting this flaw, threat actors have the potential to extract the user’s password through brute-force attacks or perform relay attacks.
Check Point explains that the vulnerability is triggered when a user extracts a ZIP archive containing a malicious .library-ms file. This action prompts Windows Explorer to initiate an SMB authentication request to a remote server, leaking the user’s NTLM hash without requiring any user interaction. Once the NTLM hash is exposed, attackers can escalate their access within the network, moving laterally, escalating privileges, and potentially compromising the domain.
While Microsoft did not initially flag CVE-2025-24054 as actively exploited, Check Point observed around twelve malicious campaigns targeting the vulnerability between March 19 and March 25. The extracted NTLM hashes were discovered on SMB servers located in several countries, including Australia, Bulgaria, the Netherlands, Russia, and Turkey.
One campaign specifically targeted the Polish and Romanian governments and private institutions through email phishing links that included a malicious archive file downloaded from Dropbox. This archive file contained references to previously exploited vulnerabilities, including CVE-2024-43451, which was used as a zero-day by Russian threat actors, and an SMB server linked to the Russian state-sponsored APT Fancy Bear.
In response to the exploitation of CVE-2025-24054, the US cybersecurity agency CISA has added the vulnerability to its Known Exploited Vulnerabilities list and advised federal agencies to patch it by May 8. CISA emphasizes the importance of prioritizing the remediation of vulnerabilities listed in its catalog, urging all organizations to address them promptly.
Overall, the exploitation of this Windows NTLM vulnerability highlights the ongoing threat posed by cyber attackers and underscores the critical need for timely patching and proactive security measures to protect against potential breaches and data compromises. Organizations are encouraged to stay vigilant, update their systems regularly, and implement robust security protocols to mitigate the risks associated with such vulnerabilities.