Follow on X RSS Feed
Vulnerabilities

Active Exploitation of NTLM Hash Theft in Windows via CVE-2025-24054

Cybersec Sentinel

4 min read
Active Exploitation of NTLM Hash Theft in Windows via CVE-2025-24054

Threat Group: Unattributed (suspected infrastructure overlap with APT28); prior similar CVE exploited by UAC-0194 and Blind Eagle (APT-C-36)
Threat Type: NTLM Hash Theft, Relay Attack Vector
Exploited Vulnerabilities: CVE-2025-24054 (NTLM Hash Disclosure via .library-ms), variant of CVE-2024-43451
Malware Used: None directly tied; secondary payloads possible (RATs, e.g., SparkRAT in prior campaigns)
Threat Score: 🔥 Critical (8.7/10) – Due to widespread system exposure, trivial user interaction required, and immediate post-exploit lateral movement potential
Last Threat Observation: April 19, 2025

Overview

CVE-2025-24054 is a critical vulnerability in Microsoft Windows systems that enables the disclosure of NTLMv2-SSP hashes through maliciously crafted .library-ms files. The vulnerability exploits a flaw in how Windows handles file metadata and UNC paths in .library-ms files. Exploitation requires minimal user interaction, such as simply viewing or right-clicking the file in Windows Explorer.

The CVE was patched by Microsoft on March 11, 2025, but was observed under active exploitation starting March 19, 2025. Campaigns targeted public and private entities in Poland and Romania using phishing emails to distribute the exploit. These emails either contained Dropbox links or directly attached malicious .library-ms files. The U.S. CISA added this CVE to the Known Exploited Vulnerabilities catalog on April 17, 2025, marking it as a significant and ongoing threat.

Vulnerability Description and Technical Analysis

Identifier: CVE-2025-24054
CVSS v3.1 Scores: Microsoft: 6.5 (Medium), NVD: 5.4 (Medium)
CWE Classification: CWE-73: External Control of File Name or Path

This vulnerability results from improper handling of externally controlled file path information in .library-ms files. These files, used to manage libraries in Windows, can be crafted to point to external SMB servers controlled by an attacker. Once a user interacts with the malicious file in Windows Explorer, the system attempts to authenticate with the external server via NTLM, leaking the user's NTLMv2 hash.

Actions that can trigger the exploit include:

  • Single-clicking or selecting the file
  • Right-clicking the file
  • Dragging or dropping the file
  • Navigating to the file's directory (Windows may auto-render metadata)

This low-interaction exploitation model makes the vulnerability especially dangerous, as users can trigger it without executing or opening the file.

Affected Systems

The following Windows OS versions are vulnerable unless patched:

  • Windows 10 (1507, 1607, 1809, 21H2, 22H2)
  • Windows 11 (21H2 through 24H2)
  • Windows Server 2008 R2 SP1 (with ESU)
  • Windows Server 2012 and 2012 R2 (with ESU)
  • Windows Server 2016, 2019, 2022, 2025

Patch deployment is essential, but organizations must also consider deeper NTLM hardening given the broader abuse of this protocol.

Exploitation Campaigns

March 2025 Exploitation

Initial attacks observed between March 19–25 targeted government and private sector organisations in Poland and Romania. Phishing emails contained:

  • Dropbox links to a ZIP archive (xd.zip) containing multiple malicious files (xd.library-ms, xd.url, xd.lnk, etc.)
  • Direct attachments such as Info.doc.library-ms in later campaigns

In both delivery styles, minimal user interaction was sufficient to trigger hash leaks.

Post-Exploit Actions

Captured NTLMv2 hashes were likely:

  • Used in NTLM relay attacks to authenticate to internal services
  • Cracked offline using tools like Hashcat, enabling full credential theft and pass-the-hash (PtH) attacks

Threat Actor Context

UAC-0194

Linked to prior abuse of CVE-2024-43451 using .url files in Ukraine. Infrastructure and malware (e.g., Spark RAT) observed. Not confirmed in CVE-2025-24054 campaigns.

Blind Eagle (APT-C-36)

South American actor using .url-based NTLM exploits in targeted phishing. Infrastructure overlaps suggest awareness of CVE-2025-24054, but exploitation is unconfirmed.

APT28 (Suspected)

The SMB server IP (159.196.128[.]120) used in Poland/Romania was linked to prior APT28 activity but attribution remains tentative.

Validated Indicators of Compromise (IoCs)

CVE

  • CVE2025−240712025-240712025−24071
  • CVE2024−434512024-434512024−43451
  • CVE2025−240542025-240542025−24054

IPv4

  • 159[.]196[.]128[.]120
  • 194[.]127[.]179[.]157

FileHash-SHA1

  • 9ca72d969d7c5494a30e996324c6c0fcb72ae1ae
  • 84132ae00239e15b50c1a20126000eed29388100
  • 76e93c97ffdb5adb509c966bca22e12c4508dcaa
  • 7dd0131dd4660be562bc869675772e58a1e3ac8e
  • 5e42c6d12f6b51364b6bfb170f4306c5ce608b4f
  • 054784f1a398a35e0c5242cbfa164df0c277da73
  • 7a43c177a582c777e258246f0ba818f9e73a69ab

Mitigation and Prevention

1. Patch Immediately

  • Apply Microsoft’s March 2025 updates across all Windows systems.

2. NTLM Configuration Hardening

  • Disable NTLM where possible (via GPO: Network security: Restrict NTLM)
  • Enable Extended Protection for Authentication (EPA)
  • Enforce SMB signing and LDAP channel binding

3. Network Protections

  • Block outbound SMB (TCP 445, UDP 137/138) at network perimeter
  • Segregate networks to reduce lateral movement

4. Detection and Response

  • Use EDRs to detect .library-ms execution and anomalous SMB traffic
  • SIEM rules to detect NTLM logons (Event IDs 4624, 4625)

5. Email and User Controls

  • Block .library-ms attachments at mail gateway
  • Train users to avoid interacting with unfamiliar files, even if not executed

6. Identity and Credential Protection

  • Enforce MFA, preferably FIDO2 or smart cards
  • Audit for NTLMv1 usage and legacy fallback scenarios
  • Monitor LSASS for unauthorized access attempts

7. Additional Hardening

  • Disable legacy services like Print Spooler on domain controllers
  • Audit and harden Active Directory Certificate Services (AD CS) for known misconfigurations (ESC1–ESC8)

Risk Assessment

  • Likelihood: Very High (due to ease of use and active exploitation)
  • Impact: High (credential compromise, lateral movement, domain escalation)
  • Exposure: Extensive (nearly all supported Windows OS versions vulnerable pre-patch)

Conclusion

CVE-2025-24054 exemplifies a systemic weakness in Windows’ handling of metadata-triggered network authentication, particularly via legacy protocols like NTLM. With active exploitation documented less than 10 days post-patch, and minimal user interaction needed, the threat remains high.

This vulnerability must not be treated as isolated—its exploitation reflects a growing trend in abusing Windows protocol design flaws. Organisations must combine patching with long-term NTLM deprecation strategies and systemic security hardening to avoid future similar risks.

Sources