Navigation section

CVE-2025-24054: Critical Windows NTLM Hash Leak Exploited Weeks After Patch

  • Thread Author
Microsoft’s Patch Tuesday on March 11, 2025, delivered a broad array of bug fixes across its Windows ecosystem, notably including a vulnerability that had been underestimated in its exploitation potential. The flaw, tracked as CVE-2025-24054, concerns a critical security gap within the Windows NTLM authentication process—a hash-leaking vulnerability that Microsoft initially rated as “less likely” to be exploited. However, the threat materialized swiftly, with attackers weaponizing this flaw against government and private sector entities in Poland and Romania within merely eight days of the patch rollout. This rapid turnaround from patch availability to active exploitation underscored the vulnerability’s true gravity and demonstrated that attackers often move faster and with greater sophistication than vendors anticipate.

Digital globe with Windows logo surrounded by glowing locks and cybersecurity code elements.
The CVE-2025-24054 NTLM Hash-Leaking Exploit: Mechanism and Impact​

The core issue stems from how Windows handles NTLM authentication hashes, specifically allowing an attacker to leak a victim's Net-NTLMv2 or NTLMv2-SSP hash over the network. The flaw permits external actors to manipulate file names or paths in such a way that Windows attempts an outbound SMB authentication, inadvertently exposing NTLM hashes to remote servers controlled by the attacker.
Malicious actors have leveraged this vulnerability by designing phishing campaigns that deliver weaponized ZIP archives to victims. One such archive, named xd.zip and hosted on Dropbox, contained several booby-trapped files, including a specially crafted .library-ms file that exploited the flaw. Simply extracting the archive—or even viewing the containing folder in Windows Explorer—triggered the leak, as Windows Explorer’s default behavior caused an automatic, outbound SMB authentication request. This request disclosed the victim’s NTLM hash to an attacker’s server.
The vulnerability’s behavior is especially dangerous because it requires minimal user interaction; victims do not need to actively execute a payload or open an executable file. Even a single click or file preview can activate the exploit. Moreover, exposed hashes can be brute forced offline or used in relay attacks, enabling attackers to impersonate legitimate users, thereby achieving unauthorized access and lateral movement within compromised networks.

The Widening Reach of the Attack and Connections to APT28​

Reports indicate that after initial attacks using open ZIP files, threat actors refined their approach by emailing .library-ms files directly, further lowering the barrier to compromise. This quick evolution enabled the campaign to expand internationally beyond the initial targets in Poland and Romania.
Analysis by security researchers identified that the exfiltrated hashes were sent to an IP address previously associated with APT28, also known as Fancy Bear—the Russia-backed hacking group notorious for sophisticated cyber espionage. While the direct attribution remains circumstantial, the linkage underscores the critical nature of such vulnerabilities being exploited by highly capable threat actors.
By March 25, around ten separate malicious campaigns exploiting CVE-2025-24054 were observed, targeting systems across countries including Russia, Bulgaria, the Netherlands, Australia, and Turkey. The common objective was harvesting NTLMv2 hashes, which are a valuable currency in cyberattack operations given their ability to facilitate pass-the-hash attacks—a technique allowing attackers to authenticate to remote systems without needing the underlying plaintext password.

Mitigation and Defense Strategies​

Check Point researchers, amongst others, have been emphatic about the necessity for immediate patch application and the hardening of NTLM configurations within enterprise environments. Patching alone, while critical, is insufficient if NTLM remains broadly enabled and unmonitored, owing to its inherent weaknesses and continued legacy use.
A multi-layered defense approach is essential:
  • Patch Management: Apply all official Microsoft updates immediately and verify deployment across endpoints.
  • Reduce NTLM Usage: Audit and restrict NTLM authentication, replacing it with secure alternatives such as Kerberos wherever possible.
  • Network Segmentation: Minimize the potential blast radius by segmenting networks to prevent lateral movement.
  • Monitor Authentication Logs: Set up real-time monitoring and alerting on anomalous authentication patterns, particularly those involving SMB traffic.
  • User Education: Train staff to recognize phishing attempts and understand the risks posed by interacting with suspicious files.
Beyond technical measures, this incident reinforces the enduring risk posed by legacy authentication protocols that persist in complex networks to maintain compatibility with older systems.

Parallel Patching and Emerging Threats from Apple​

In close temporal proximity to Microsoft's critical update, Apple released patches for two zero-day vulnerabilities in iOS 18.4.1 and iPadOS 18.4.1, which were identified in attacks characterized as "extremely sophisticated" targeting select individuals. The first vulnerability addressed a memory corruption flaw in CoreAudio, the framework responsible for processing audio streams. Maliciously crafted media files exploiting this flaw could lead to arbitrary code execution. The second vulnerability targeted the Return Pointer Authentication Code (RPAC) mechanism, a security feature intended to prevent pointer manipulation attacks. Attackers with arbitrary read and write access could exploit this to bypass pointer authentication, compromising the integrity of the system. Apple’s remediation involved removing the vulnerable code that enabled this bypass.
These Apple vulnerabilities, discovered in collaboration with Google’s Threat Analysis Group, highlight the cross-platform nature of advanced cyber threats today. While they affect Apple devices specifically, Windows users are not isolated from related risks, as multi-device and cross-ecosystem environments become increasingly normative.

Broader Implications for Cybersecurity in 2025​

The swift exploitation of CVE-2025-24054 spotlighted a persistent challenge facing the IT community: patches can rapidly become reactive tools once active exploitation commences. The breach window shrinks dramatically, leaving a slim margin for preventing damage.
Legacy protocols like NTLM, deeply entrenched in enterprise systems for compatibility reasons, continue to pose significant risks despite being deprecated in principle. The combination of minimal user action required for exploitation and the ease of leveraging leaked hashes into full network compromise underscores a systemic vulnerability within Windows networks.
Furthermore, the involvement of advanced persistent threat groups in these campaigns elevates the stakes. Organizations must view such events not only as patching exercises but also as exercises in holistic threat detection, response readiness, and infrastructure modernization.

Conclusion​

The events following Microsoft’s March 2025 Patch Tuesday encapsulate the modern cybersecurity landscape’s dual nature: a steady stream of complex vulnerabilities amid evolving and increasingly rapid exploitation tactics. CVE-2025-24054’s NTLM hash leakage flaw starkly illustrates the hazards of legacy technology dependence in a world where attackers swiftly weaponize even so-called “less likely” vulnerabilities.
For IT professionals, the message is unequivocal: maintaining vigilant, proactive patch management combined with strategic moves away from aging protocols like NTLM, enhanced network segmentation, and continuous monitoring forms the bedrock of robust defense. Similarly, cross-industry collaboration and vigilance in patching systems, regardless of platform—be it Windows or Apple—are critical to safeguarding the increasingly interconnected ecosystems users rely upon.
The rapid emergence and exploitation of these vulnerabilities serve as a clarion call to accelerate modernization in IT security strategies, balancing the need for legacy support with the imperative of robust, forward-looking cybersecurity architecture.
By internalizing these lessons and adopting comprehensive mitigation practices, organizations can better weather the relentless tide of cyber threats defining this era.
References:
  • TheRegister on Microsoft and Apple patches: Eight days from patch to exploitation for Microsoft flaw
  • WindowsForum discussions on CVE-2025-24054 and NTLM vulnerabilities
  • General threat landscape insights and mitigation guidance from security researchers and Microsoft's Security Response Center
Source: Eight days from patch to exploitation for Microsoft flaw
 

Click to expand...
Microsoft’s March 2025 Patch Tuesday delivered a batch of bug fixes addressing numerous vulnerabilities across Windows platforms. Among these, a critical and underestimated flaw, CVE-2025-24054, quickly shifted from a “less likely to be exploited” risk to an active weaponized exploit targeting government and private sector networks, notably in Poland and Romania. This flaw revolves around the leakage of NTLM (NT LAN Manager) hashes, a legacy authentication protocol embedded in Windows environments, posing a considerable threat to the security fabric of affected systems.

A chained computer monitor displays a security warning shield, symbolizing cybersecurity and hacking threats.
The NTLM Hash-Leaking Vulnerability: CVE-2025-24054​

CVE-2025-24054 exploits a vulnerability in how Windows handles NTLM authentication hashes during SMB (Server Message Block) protocol interactions triggered by certain file types. Attackers manipulated a specially crafted file—a .library-ms file embedded inside phishing ZIP archives named "xd.zip"—which exploit this flaw by causing Windows to leak the victim’s Net-NTLMv2 or NTLMv2-SSP hashes to an attacker-controlled server simply upon extraction or even folder preview in Windows Explorer. Later, attackers advanced the tactic, sending these .library-ms files directly via email, minimizing user interaction to mere clicks or contextual views, accelerating exploits worldwide.
The nature of the attack—needing minimal user action—makes it highly insidious. Once the NTLM hash is leaked, attackers can harness it for offline brute-force attacks or facilitate relay attacks, effectively impersonating victims and gaining unauthorized access. This risk is compounded by the fact that the stolen hash is often transmitted to command-and-control servers linked to notorious threat groups, such as the Russian-backed APT28 (Fancy Bear). The rapid international spread of campaigns using this technique underscores the urgency in patching and addressing NTLM-related risks in organizational networks.

Legacy Protocols and Modern Threats​

NTLM, despite its age and well-documented weaknesses, remains deeply integrated in many enterprise Windows environments due to backward compatibility issues. This vulnerability exposes the inherent problems of retaining legacy authentication protocols without sufficient modernization or rigorous network segmentation and monitoring.
Organizations relying heavily on NTLM must recognize that even seemingly minor vulnerabilities exploiting file name or path manipulations can serve as alarming conduits for network compromise. Each hash leak presents a Trojan horse risk, allowing attackers to move laterally across segments, bypassing normal authentication controls. Securing or transitioning away from NTLM in favor of modern protocols like Kerberos is a necessary goal for systemic resilience.

The Broader Microsoft Patch Context in Early 2025​

This NTLM flaw did not exist in isolation. Microsoft's 2025 patch releases—from March into April—have included multiple critical and zero-day fixes affecting core Windows components such as the Common Log File System (CLFS), LDAP, Remote Desktop Protocol (RDP), and Microsoft Office. Many vulnerabilities can enable remote code execution, privilege escalation, or denial of service.
For example, CVE-2025-29824, patched in April 2025, is a user-after-free zero-day in the CLFS driver that has already been actively exploited to gain SYSTEM-level privileges. LDAP vulnerabilities patched around the same time involve race conditions enabling potential unauthorized access. The overall patch landscape highlights the continuing evolution of attack vectors against Windows, emphasizing resilient, layered defenses.

Apple's Parallel Zero-Day Patch Efforts​

In a parallel but related security development, Apple released iOS 18.4.1 and iPadOS 18.4.1 updates addressing two zero-day vulnerabilities actively exploited in highly sophisticated, targeted attacks. Unlike the NTLM flaw that affects Windows authentication protocols, these Apple vulnerabilities target CoreAudio (a memory corruption issue allowing arbitrary code execution via malicious audio files) and the Return Pointer Authentication Code (RPAC) mechanism, which guards against pointer manipulation attacks.
Though targeting different ecosystems, both Microsoft and Apple's recent patches reveal how attackers exploit fundamental system components—authentication and memory protection—to achieve remote or local code execution. Defense strategies must therefore embrace comprehensive cross-platform practices, given the interconnected nature of modern networks and hybrid work environments.

Attack Vectors and Exploitation Mechanics​

The Windows NTLM hash leak via .library-ms files is particularly notable for its exploitation technique: mere folder browsing or file selection can trigger outbound SMB authentication requests that send the victim’s hash to the attacker. This is not a remote code execution exploit per se but an authentication bypass risk with extensive consequences for network trust and access.
Phishing emails remain the primary vector, delivering either ZIP archives or standalone malicious files. The fact that attackers rapidly adapted to send standalone .library-ms files demonstrates their agility, and underlines the peril for users engaging with unsolicited or suspicious file attachments.

Defensive Measures and Organizational Recommendations​

Given the rapid weaponization of CVE-2025-24054 and similar vulnerabilities, the imperative for immediate organizational response is clear:
  • Patch Management: Immediate and thorough application of Microsoft’s security patches is critical. Delay leaves networks exposed to active exploit campaigns.
  • NTLM Usage Review: Organizations should audit and limit NTLM authentication wherever possible. Embracing Kerberos-based authentication reduces exposure to relay and hash theft attacks.
  • Network Segmentation and SMB Monitoring: Enforce segmentation to restrict lateral movement post-compromise. Monitor SMB traffic for abnormal outbound authentication attempts, especially towards suspicious IPs.
  • User Awareness Training: Phishing remains the root cause of many breach incidents. Train users to recognize and avoid deceptive emails, suspicious attachments, and unsolicited downloads.
  • Advanced Security Tools: Employ endpoint detection and response (EDR) and extended detection and response (XDR) solutions capable of detecting early indicators of credential theft and lateral movement.

Emerging Threat Landscape and Outlook​

The CVE-2025-24054 incident joins a growing roster of vulnerabilities in 2025 underscoring the relentless pressure on legacy protocols and the complexity of modern software ecosystems. The dual disclosures from Microsoft and Apple illuminate a common theme: attackers exploit fundamental trust mechanisms deeply embedded in operating systems, whether in authentication protocols or memory safety features.
For IT professionals and security teams, this means embracing a comprehensive, multi-layered defense strategy that is agile enough to remediate legacy risks and robust enough to defend against sophisticated zero-day exploits. Patch management, continuous monitoring, user education, and modernized identity infrastructure form the pillars of such an approach.
In the end, the lesson is unmistakable: organizations cannot afford complacency. Even flaws initially deemed “less likely to be exploited” can swiftly become focal points of targeted attacks causing real-world damage. Vigilance, rapid response, and a forward-looking security posture are indispensable in the evolving battle for digital trust and integrity.
This synthesis draws from a detailed investigation of the March 2025 Patch Tuesday’s CVE-2025-24054 exploit, Microsoft's broader security patch releases in early 2025, and Apple's simultaneous zero-day patch efforts. It reflects ongoing industry concerns about legacy protocol vulnerabilities and the need for continuous evolution in cybersecurity defenses .
Source: Eight days from patch to exploitation for Microsoft flaw
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
March 2025 Windows Patch Tuesday: CVE-2025-24054 Exploited, NTLM Vulnerability Highlights
Replies
0
Views
123
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
CVE-2025-24054: Critical NTLM Vulnerability Rapidly Exploited in Windows Systems
Replies
0
Views
106
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Rapid Exploitation of CVE-2025-24054: NTLM Hash Leaking and Windows Security Risks
Replies
0
Views
147
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Microsoft Patch Tuesday 2025: Critical NTLM Vulnerability CVE-2025-24054 Exposes Networks to Exploits
Replies
0
Views
135
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
CVE-2025-24054: Critical Windows NTLM Vulnerability – Key Mitigation Strategies
Replies
0
Views
67
ChatGPT
ChatGPT
Back
Top