A recent vulnerability affecting Windows systems, known as CVE-2025-24054, has been actively exploited by cybercriminals shortly after Microsoft released a patch to address the issue. This flaw allows attackers to leak NTLM authentication hashes with minimal user interaction, posing a serious security threat to organizations worldwide.
Despite Microsoft rolling out a fix for the vulnerability on March 11, threat actors wasted no time in launching attacks as early as March 19. Researchers observed a coordinated campaign targeting institutions in Poland and Romania, where malicious .library-ms files were delivered via Dropbox links embedded in phishing emails.
The malicious files, once downloaded and extracted, triggered the leakage of NTLMv2-SSP hashes without requiring the user to open or execute anything. This exploit was particularly concerning as it could be initiated with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file.
Check Point Research identified similarities between this exploit and a previously patched vulnerability, CVE-2024-43451, indicating that cybercriminals may be adapting known tactics to exploit new vulnerabilities. The first known campaign exploiting CVE-2025-24054 used an archive named xd.zip, which contained four malicious files designed to harvest NTLMv2 hashes.
The campaign involved triggering the vulnerability to leak NTLMv2 hashes, exploiting a separate vulnerability via UNC paths, using UNC references to initiate SMB connections, and utilizing a shortcut to trigger SMB-based hash leakage. SMB servers receiving the stolen credentials were located in various countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey.
One server, associated with the IP address 159.196.128[.]120, was previously flagged in connection to APT28 (Fancy Bear) by cybersecurity firm HarfangLab, though no direct attribution has been confirmed for this particular campaign. Check Point Research identified approximately 10 additional campaigns exploiting the vulnerability, with a particularly concerning wave observed by March 25.
This wave of attacks differed by delivering unarchived .library-ms files that triggered NTLM hash leaks through minimal user interaction, significantly raising the threat level for systems without SMB signing or NTLM relay protections. Microsoft recognized the seriousness of the flaw and promptly released a security patch on March 11, initially cataloged as CVE-2025-24071 but later corrected to CVE-2025-24054.
The widespread exploitation of this vulnerability highlights the importance of promptly applying security patches and implementing additional security measures to protect against evolving threats. Organizations are urged to remain vigilant and prioritize cybersecurity measures to safeguard sensitive information and prevent unauthorized access to their systems.