Microsoft's March 11 Patch Tuesday rollout, a cornerstone event for Windows security, included a critical fix for an NTLM hash-leaking vulnerability identified as CVE-2025-24054. Initially, Microsoft had rated this vulnerability as "less likely" to be exploited, but swift real-world attacks have proved otherwise, highlighting a gap between risk assessment and adversary innovation. Within just eight days of the patches being made available, attackers weaponized CVE-2025-24054 and launched targeted campaigns against government and private sector entities in Poland and Romania, marking a rapid and alarming escalation in threat activity.
This particular NTLM flaw enables attackers to leak Net-NTLMv2 or NTLMv2-SSP hashes over the network by exploiting a vulnerability related to external control of file names or paths within Windows NTLM authentication. The attackers leveraged a social engineering tactic by sending phishing emails containing a Dropbox-hosted ZIP archive labeled "xd.zip." The archive concealed a set of malicious files, including a dangerous ".library-ms" file that triggers the vulnerability. Notably, just unzipping or even viewing the folder in Windows Explorer could activate the exploit, causing Windows to inadvertently send NTLM hashes via SMB authentication attempts to servers controlled by the attackers.
The stolen NTLM hashes, valuable for pass-the-hash attacks, allow adversaries to imitate legitimate users, gaining unauthorized access and moving laterally within compromised networks. Check Point researchers traced exfiltration to an IP address previously associated with the APT28 group, also known as Fancy Bear, a Russian state-linked hacking collective. Though no definitive attribution confirms Fancy Bear's involvement, this connection underscores the high-profile nature of the targets and adversaries involved.
The exploit’s minimal user interaction requirement, such as single-clicking or even right-clicking the malicious file, illustrates the vulnerability’s ease of exploitation. By late March, the threat had grown global, with multiple simultaneous campaigns delivering standalone ".library-ms" files directly to victims’s inboxes. These campaigns funneled credentials to SMB servers scattered across Russia, Bulgaria, the Netherlands, Australia, and Turkey, showcasing the broad geographic and strategic reach of the attack wave.
This rapid weaponization and distribution of a vulnerability Microsoft initially deemed less likely to be exploited sends a potent message to organizations worldwide: patching NTLM-related flaws must be an urgent priority to prevent devastating pass-the-hash and relay attacks. Traditional overreliance on NTLM as a legacy authentication mechanism continues to pose security risks. Microsoft has long promoted migrating to modern token-based protocols like Kerberos, but many enterprises remain tethered to NTLM due to legacy systems and backwards compatibility concerns. This ongoing vulnerability elsewhere in the ecosystem reaffirms that NTLM’s deprecation is a critical security imperative for the coming years.
Simultaneously, Apple pushed out iOS 18.4.1 and iPadOS 18.4.1 to remediate two zero-day vulnerabilities exploited in "extremely sophisticated" targeted attacks. The first addresses a memory corruption bug in CoreAudio that handles audio streams. This flaw could allow arbitrary code execution when processing a crafted media file, enabling attackers to run malicious code on vulnerable devices. The second patch fixes a severe weakness in Apple's Return Pointer Authentication Code (RPAC), a security measure designed to prevent pointer manipulation attacks, such as tampering with return addresses on the stack. Attackers able to read and write memory arbitrarily could bypass RPAC protections, but Apple mitigated the risk by entirely removing the vulnerable code section. These vulnerabilities emphasize the heightened risk posed by memory safety issues in complex multimedia processing subsystems, a trend observed in modern operating systems including Windows and macOS alike.
Microsoft’s patch ecosystem in April 2025 continued to reveal an intense operational environment. The Windows Common Log File System (CLFS) driver zero-day vulnerability CVE-2025-29824 emerged as a critical threat actively exploited in the wild. This bug allows elevation of privilege to SYSTEM level through a complicated user-after-free flaw that involves leaking kernel addresses and overwriting process tokens. This vulnerability is particularly dangerous because it grants adversaries the highest system privileges, enabling complete system takeover. The exploit has been linked to the ransomware group Storm-2460, known for deploying a sophisticated backdoor called PipeMagic. This active exploitation further accentuates how attackers leverage layered vulnerabilities in Windows components for maximum control.
Beyond CLFS, Microsoft's security updates encompass a vast array of vulnerabilities, covering remote code execution flaws in LDAP and Remote Desktop Services (RDP), elevation of privileges in Microsoft Office and Excel, and weaknesses in Windows kernel subsystems. Especially troubling are race condition bugs in LDAP and RDP that do not require user interaction, vastly increasing the threat surface for enterprises relying on these services.
Windows 10 users face an unfortunate delay in patch availability for many critical flaws fixed in Windows Server and Windows 11, leaving a security gap that defenders must urgently address through layered mitigations. Microsoft’s insistence on prompt patching and the shifting recommendation away from legacy protocols like NTLM represent ongoing challenges for IT security managers balancing operational continuity with evolving cyber threats.
Crucially, researchers flagged the minimal user interaction requirement for triggering the NTLM vulnerability exploit, demonstrating the risk that trivial file handling actions—like unzipping or even right-clicking a file—pose in compromised environments. This nuance demands enhanced user awareness training in conjunction with technical patching and network segmentation to mitigate lateral movement assisted by harvested NTLM credentials.
From a broader perspective, these developments underscore the increasingly sophisticated landscape of cyber threats that cross platform boundaries—affecting Microsoft, Apple, and others. Organizations must monitor emerging exploits targeting legacy protocols and core system components, implement rapid patch cycles, and accelerate migration to secure modern authentication methods. The window between patch release and exploitation showcases adversaries’ agility in weaponizing even ostensibly low-risk vulnerabilities.
With Windows ecosystem vulnerabilities like CVE-2025-24054, CVE-2025-29824, and numerous critical flaws patched alongside Apple’s zero-days, April 2025 emerges as a high-stakes month in cybersecurity. It serves as a stark wake-up call: maintaining software security demands an all-hands-on-deck approach from vendors, IT administrators, and users. Legacy authentication systems, complex multimedia codebases, and critical kernel subsystems remain prime targets. Defenders face no respite, as vulnerabilities move from disclosed to exploited at an ever-accelerating pace, underlining the necessity of proactive defenses and continuous vigilance.
Source: Eight days from patch to exploitation for Microsoft flaw
