North winds carry more than just Poland’s infamous cold: as March 2025 would have it, they swept in a fresh surge of NTLM hash theft, thrusting CVE-2025-24054 into the glaring spotlight of cybersecurity’s main stage. Weeks before most CIOs had even had their coffee, threat actors were already knee-deep in phishing campaigns, hungrily grabbing hashes from unsuspecting inboxes in Poland and Romania. In an uncanny echo of recent history, organizations across the globe once again found themselves pondering that timeless IT question: “Why do we keep falling for the same old tricks?”
Microsoft’s NTLM (NT LAN Manager) authentication protocol has been lingering like a ghost of the ‘90s, tirelessly authenticating users and devices even after official deprecation—and, truthfully, after Microsoft’s explicit exhortation to swap to Kerberos. But it wasn’t nostalgia that brought NTLM into the headlines. CVE-2025-24054, privately reported by a trio of keen-eyed researchers, opened the door for attackers to capture NTLMv2 responses simply by luring users to interact with a maliciously crafted file—no need to actually open it. Unlike its sibling CVE-2025-24071 (which at least required opening a folder to take effect), this vulnerability lowered the bar for exploitation. One click, one misstep, and—abracadabra!—a hash is whisked away across the network.
But what can an attacker do with a stolen NTLM hash? There are two main avenues: brute-force the hashed response offline or, far sneakier, perform a relay attack. By relaying the captured hash to another authentication service, attackers can slip through defenses, masquerading as the unwitting victim. If the credentials belong to a highly privileged user, the attacker’s prize is even richer: they can escalate privileges and begin moving laterally within the network, turning a single slip of the mouse into a full-blown breach.
By March 19, Check Point researchers detected the first campaign targeting Polish and Romanian institutions, government and private alike. The attack vector? A phishing email, cunningly designed, delivering an archive entitled “xd.zip.” The files inside weren’t even hidden: four distinct beauties, each designed to leak NTLMv2-SSp hashes. Merely interacting with these files would prompt a connection to a malicious SMB server, owned by the threat actor. One file triggered CVE-2025-24054, another invoked CVE-2024-43451—a multitasking exploit arsenal that demonstrates just how creative attackers can be when incentives are high.
Not long after, around March 25, researchers uncovered roughly ten more campaigns, each with the singular goal of harvesting NTLMv2-SSp hashes. It wasn’t just Poland and Romania anymore; this was global, with one campaign specifically targeting companies with an international footprint.
These attacks, while not as immediately devastating as remote code execution, are insidious. NTLM relay attacks can be devastatingly effective for privilege escalation; when a privileged account’s credentials are snatched, the attackers aren’t just inside the gates—they’re in the high tower, waving the keys to every room.
NTLM’s continued use isn’t because sysadmins love nostalgia—it’s because replacing legacy authentication across sprawling, interconnected networks is a Herculean feat. There’s a tangle of legacy devices, outdated software, and “just works” attitudes. So, like a stubborn virus, NTLM lingers—and attackers are only too happy to exploit its continued presence.
Still, while micro- and mega-patching races on, one reality endures: patching effectiveness depends not on the availability of patches, but on how quickly and universally they are deployed. In the after-action reports from countless breaches, slow patch adoption remains the perennial villain.
With CVE-2025-24054, even passive interaction with a poisoned file—think of just glancing at a suspiciously shared network folder—inadvertently triggers authentication attempts to the attacker’s SMB server. The protocol blithely complies, sending the hashed credentials faster than you can say “Legacy is a liability.”
While NTLMv2 does offer some improvements over its v1 predecessor, it still hinges on the same core mechanism: challenge-response authentication that assumes the channel is trustworthy. When that trust is breached, the vulnerability is exposed.
So why does the industry keep tripping on the same stone? The reasons are as complex as they are frustrating. Economic pressure, technical debt, and the sheer logistical nightmare of shifting mission-critical authentication mechanisms conspire to slow progress. And as these campaigns show, attackers are prepared to exploit any hesitation.
When an APT group is exploiting a vulnerability days after public disclosure, the world should sit up straight, slam the patches, and audit every legacy protocol twice just to be sure.
Next comes user education—yes, again. Even the most sophisticated attacks still begin by persuading someone to click something they shouldn’t. Simulated phishing campaigns, dynamic threat intelligence, and an active reporting culture all serve as crucial counterbalances to technological safeguards.
Then there’s the architectural fix: shifting authentication wholesale to Kerberos, which offers much stronger mutual authentication and resistance to relay attacks. For many organizations, this is the only true “forever” fix. But—prepare yourself—making this migration is never trivial, especially for global enterprises wedded to legacy apps.
As NTLM fades into the sunset (slowly—oh so slowly), organizations must remain vigilant, proactive, and agile. The days of “set it and forget it” are over.
Expect further evolutions. As NTLM sinks further from view, attackers will turn their considerable talents to tangling with Kerberos, gaming multi-factor authentication, or finding new avenues for phishing and privilege escalation. And yes, new campaigns leveraging similar weaknesses will appear.
For CISOs, sysadmins, and everyday users alike, the NTLM story is both a call to action and a stubborn reminder that the oldest doors often swing open to the newest keys. The next time you’re tempted to ignore that patch notification or put off a legacy migration, remember: out there, someone is already phishing for just one more hash.
Here’s to staying ahead of the attackers—and, fingers crossed, finally putting NTLM out to pasture, where it belongs.
Source: Help Net Security Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) - Help Net Security
The Anatomy of CVE-2025-24054: A Vulnerability Unveiled
Microsoft’s NTLM (NT LAN Manager) authentication protocol has been lingering like a ghost of the ‘90s, tirelessly authenticating users and devices even after official deprecation—and, truthfully, after Microsoft’s explicit exhortation to swap to Kerberos. But it wasn’t nostalgia that brought NTLM into the headlines. CVE-2025-24054, privately reported by a trio of keen-eyed researchers, opened the door for attackers to capture NTLMv2 responses simply by luring users to interact with a maliciously crafted file—no need to actually open it. Unlike its sibling CVE-2025-24071 (which at least required opening a folder to take effect), this vulnerability lowered the bar for exploitation. One click, one misstep, and—abracadabra!—a hash is whisked away across the network.But what can an attacker do with a stolen NTLM hash? There are two main avenues: brute-force the hashed response offline or, far sneakier, perform a relay attack. By relaying the captured hash to another authentication service, attackers can slip through defenses, masquerading as the unwitting victim. If the credentials belong to a highly privileged user, the attacker’s prize is even richer: they can escalate privileges and begin moving laterally within the network, turning a single slip of the mouse into a full-blown breach.
The Road to Infamy: Timeline of a Threat
The vulnerability’s journey from quiet disclosure to weaponized exploit reads like a cybersecurity crime thriller. After Microsoft quietly patched both CVE-2025-24054 and its sibling CVE-2025-24071 on March 11, 2025, the industry (and, let’s face it, most users) barely noted a ripple. But as is so often the case, malicious actors were far more attentive. On March 16 and 18, a proof-of-concept exploit and detailed write-up surfaced online—fuel for the cybercriminal fire.By March 19, Check Point researchers detected the first campaign targeting Polish and Romanian institutions, government and private alike. The attack vector? A phishing email, cunningly designed, delivering an archive entitled “xd.zip.” The files inside weren’t even hidden: four distinct beauties, each designed to leak NTLMv2-SSp hashes. Merely interacting with these files would prompt a connection to a malicious SMB server, owned by the threat actor. One file triggered CVE-2025-24054, another invoked CVE-2024-43451—a multitasking exploit arsenal that demonstrates just how creative attackers can be when incentives are high.
Not long after, around March 25, researchers uncovered roughly ten more campaigns, each with the singular goal of harvesting NTLMv2-SSp hashes. It wasn’t just Poland and Romania anymore; this was global, with one campaign specifically targeting companies with an international footprint.
Victims in the Crosshairs: Phishing 2.0
Let’s talk about the phishing emails. If you still picture crude grammar and suspicious links to Nigerian princes, you haven’t checked your inbox lately. Today’s phishing is a masterclass in psychological manipulation, with emails tailored for each target, attachments dressed to blend in, and an increasingly creative array of delivery methods. The xd.zip archive looked harmless enough, but one wrong interaction—just inspecting or moving the file, not executing it—was enough to leak critical NTLMv2-SSp hashes to a server with a known history: previous reports from HarfangLab tied this server to APT28, also known as Fancy Bear or Forest Blizzard. Yes, this is the big leagues, and the stakes are just as high as you’re imagining.These attacks, while not as immediately devastating as remote code execution, are insidious. NTLM relay attacks can be devastatingly effective for privilege escalation; when a privileged account’s credentials are snatched, the attackers aren’t just inside the gates—they’re in the high tower, waving the keys to every room.
How Did We Get Here? The Lingering NTLM Problem
Here’s the uncomfortable truth: NTLM should be dead. Microsoft deprecated all versions of NTLM in 2024, issuing stern warnings to switch to Kerberos, the more robust successor. But as any IT administrator will tell you over a nervous laugh, legacy authentication protocols are the cockroaches of enterprise networks: persistent, pervasive, and infuriatingly hard to eradicate.NTLM’s continued use isn’t because sysadmins love nostalgia—it’s because replacing legacy authentication across sprawling, interconnected networks is a Herculean feat. There’s a tangle of legacy devices, outdated software, and “just works” attitudes. So, like a stubborn virus, NTLM lingers—and attackers are only too happy to exploit its continued presence.
The Patch Dilemma: Supported and Unsupported Systems
Microsoft didn’t sleep on the issue; they released patches for all supported versions of Windows and Windows Server. But what about the elephant in the server room—those beloved, unironic installs of Windows 7, Windows 10 v21H2, Server 2008 R2, and Server 2012 R2? For those clinging to out-of-support versions, “micropatching” has emerged as a stopgap. This approach, popularized by third-party vendors, allows individual vulnerabilities to be patched at the binary level, without a sweeping system update. It’s a lifesaver for organizations that, due to institutional inertia, regulatory requirements, or sheer stubbornness, can’t migrate to newer systems overnight.Still, while micro- and mega-patching races on, one reality endures: patching effectiveness depends not on the availability of patches, but on how quickly and universally they are deployed. In the after-action reports from countless breaches, slow patch adoption remains the perennial villain.
Technical Underpinnings: Why Is This So Hard to Stop?
NTLM relay attacks leverage a fundamental weakness: the protocol itself. NTLM, unlike Kerberos, doesn’t provide mutual authentication or adequate cryptographic binding. Through man-in-the-middle (MitM) tactics, a malicious SMB server or similarly positioned attacker can intercept hash exchanges and relay them elsewhere. The user, utterly oblivious, never has a clue their credentials were just pawned.With CVE-2025-24054, even passive interaction with a poisoned file—think of just glancing at a suspiciously shared network folder—inadvertently triggers authentication attempts to the attacker’s SMB server. The protocol blithely complies, sending the hashed credentials faster than you can say “Legacy is a liability.”
While NTLMv2 does offer some improvements over its v1 predecessor, it still hinges on the same core mechanism: challenge-response authentication that assumes the channel is trustworthy. When that trust is breached, the vulnerability is exposed.
Echoes of the Past: Learning from Zero-Days
Veteran security folks will have déjà vu. The scenario is eerily reminiscent of CVE-2024-43451, a zero-day that surfaced the previous year to target critical infrastructure in Ukraine. There, too, NTLM played the compromised protagonist; there, too, attackers used smart phishing, cleverly-crafted SMB servers, and a global network of zombie machines to pivot deeper within networks.So why does the industry keep tripping on the same stone? The reasons are as complex as they are frustrating. Economic pressure, technical debt, and the sheer logistical nightmare of shifting mission-critical authentication mechanisms conspire to slow progress. And as these campaigns show, attackers are prepared to exploit any hesitation.
Attribution Games: The Perennial Suspect
The server at the heart of these campaigns was no unknown player. Its digital fingerprints had previously been linked by HarfangLab to APT28—a name that conjures more shivers in boardrooms than “unpatched legacy system.” Also known as Fancy Bear or Forest Blizzard, APT28 has played central roles in cyber-espionage campaigns targeting governments, infrastructure, and private industry. Their involvement raises the stakes: attacks are not just financially motivated, but potentially geopolitically charged.When an APT group is exploiting a vulnerability days after public disclosure, the world should sit up straight, slam the patches, and audit every legacy protocol twice just to be sure.
Defense in Depth: The New Imperatives
Responding to vulnerabilities like CVE-2025-24054 isn’t a hard science—it’s a tactical ballet. The first step is, of course, patching: apply the security fixes from Microsoft (or select a reputable micropatching vendor if you’re living in the retro-cool world of legacy Windows). Don’t stop there. Prune NTLM usage wherever possible. Monitor network traffic for suspicious SMB requests—especially those pointing to unfamiliar or external servers. Bolster endpoint detection and response (EDR) with rules tailored to spot relay attack signatures.Next comes user education—yes, again. Even the most sophisticated attacks still begin by persuading someone to click something they shouldn’t. Simulated phishing campaigns, dynamic threat intelligence, and an active reporting culture all serve as crucial counterbalances to technological safeguards.
Then there’s the architectural fix: shifting authentication wholesale to Kerberos, which offers much stronger mutual authentication and resistance to relay attacks. For many organizations, this is the only true “forever” fix. But—prepare yourself—making this migration is never trivial, especially for global enterprises wedded to legacy apps.
The Bigger Picture: Identity Is the New Perimeter
The lesson here isn’t just technical: the identity perimeter—the sum of user, device, and machine identities—now defines the modern security boundary. The physical firewall is obsolete; it’s your credentials, floating in a sea of emails and attachments, that matter most. Attackers know this. So do defenders. The race is on.As NTLM fades into the sunset (slowly—oh so slowly), organizations must remain vigilant, proactive, and agile. The days of “set it and forget it” are over.
Looking Ahead: Patch Fatigue and the Next Breach
Could this be the exploit that finally kills NTLM for good? History offers some skepticism. Organizations have long suffered from patch fatigue—a constant churn of updates arriving faster than many can deploy. Attackers, meanwhile, need only find one laggard to reap rewards. While the industry’s patch culture has improved, the threat landscape moves faster, and the window of exposure—from public exploit disclosure to active attack—has never been narrower.Expect further evolutions. As NTLM sinks further from view, attackers will turn their considerable talents to tangling with Kerberos, gaming multi-factor authentication, or finding new avenues for phishing and privilege escalation. And yes, new campaigns leveraging similar weaknesses will appear.
Final Thoughts: No Silver Bullet, But Plenty of Ammo
The saga of CVE-2025-24054 is more than another vulnerability story—it’s a stark demonstration that security is both a marathon and a sprint. There is no silver bullet, but there are best practices: patch faster, kill old protocols, educate users, monitor everything that moves, and respect the cunning of modern adversaries.For CISOs, sysadmins, and everyday users alike, the NTLM story is both a call to action and a stubborn reminder that the oldest doors often swing open to the newest keys. The next time you’re tempted to ignore that patch notification or put off a legacy migration, remember: out there, someone is already phishing for just one more hash.
Here’s to staying ahead of the attackers—and, fingers crossed, finally putting NTLM out to pasture, where it belongs.
Source: Help Net Security Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) - Help Net Security
Last edited:
