Microsoft’s Patch Tuesday in March 2025 introduced a significant security update addressing numerous vulnerabilities. However, among these fixes was a vulnerability Microsoft rated as “less likely” to be exploited that rapidly became a severe threat in the wild, catching organizations off guard and emphasizing some critical cybersecurity lessons. The flaw, identified as CVE-2025-24054, resided within the Windows NT LAN Manager (NTLM) authentication protocol—specifically, it allowed the leakage of NTLM hashes, a serious security oversight that attackers swiftly weaponized in targeted campaigns across Europe.
CVE-2025-24054 is a vulnerability that arises due to external control over file names or paths processed by Windows’ handling of SCF (Shell Command File) files. This flaw enables attackers to trigger an outbound SMB (Server Message Block) authentication attempt that leaks the victim's Net-NTLMv2 or NTLMv2-SSP hash over the network. This hash leakage empowers attackers to perform offline brute-force attacks or mount relay attacks, allowing them to impersonate users and gain unauthorized access to network resources.
Microsoft had rated this vulnerability as “less likely” to be exploited, potentially due to the subtlety and specific conditions required for exploitation. Yet, just eight days after the March Patch Tuesday release, attackers began aggressively incorporating the flaw into malware campaigns targeting governmental and private sector entities in Poland and Romania. They used phishing emails containing Dropbox-hosted ZIP archives, which included a specially crafted ".library-ms" file exploiting this vulnerability. Merely unzipping or viewing the infected folder in Windows Explorer would send out the victim’s NTLM hash to a remote attacker server.
Remarkably, Check Point researchers flagged that the exfiltrated NTLM hashes were funneling to an IP address previously associated with the Russia-backed hacking group Fancy Bear (APT28), although no further definitive links were established.
By mid-March, the attack vector evolved: emails started carrying standalone ".library-ms" files, further lowering the bar for user interaction needed to trigger the exploit. According to Microsoft, this could be triggered with minimal interaction, such as selecting or right-clicking the malicious file, making the vulnerability particularly dangerous.
The malware campaign quickly gained scale and geographic spread. By March 25, ten separate campaigns were identified, each aiming to harvest NTLMv2 hashes and exfiltrate them to attacker-controlled SMB servers globally—including servers in Russia, Bulgaria, the Netherlands, Australia, and Turkey. This rapid and widespread exploitation served as a stark reminder of how quickly vulnerabilities, even those deemed less likely to be exploited, can become active threats.
The protocol is vulnerable to various attack types, including relay and brute-force attacks facilitated by hash capture. CVE-2025-24054 exploits how Windows handles SCF files to prompt authentication calls that leak the hashed credentials unwittingly. This weakness reaffirms NTLM’s status as a fragile security component amid modern cybersecurity challenges.
Following the incident, security professionals emphasized the urgent need to migrate away from NTLM or at least harden its deployment. Microsoft’s planned deprecation of NTLMv1 support in Windows Server 2025 and recommended use of Kerberos and extended protection mechanisms reinforce this strategic direction to improve authentication security.
Another fix patched a flaw in Apple's Return Pointer Authentication Code (RPAC), a security mechanism preventing pointer manipulation; the flaw could allow attackers with arbitrary read/write privileges to bypass protections. Apple’s prompt mitigation involved removing vulnerable code segments.
Apple characterized these exploits as parts of “extremely sophisticated” attacks on targeted individuals, reflecting how attackers are harnessing vulnerabilities across platforms in complex, cross-vectored campaigns. For Windows and Apple users alike, this signals the urgent need for diligent, timely patch management across heterogeneous device ecosystems.
Organizations and individual users should take several critical steps to mitigate such threats effectively:
Similarly, zero-day exploits in contemporary, widely used software like iOS demonstrate evolving attacker sophistication and the need for coordinated defense efforts between vendors, researchers, and enterprise IT teams.
Microsoft's and Apple’s responses—including detailed advisories and patch releases—exemplify the critical role of vendor responsiveness. Still, the incident underscores that cybersecurity is a shared responsibility requiring immediacy, vigilance, and investment from all stakeholders.
For Windows users, the incident serves as a wake-up call to prioritize NTLM hardening or migration, apply patches without delay, and adopt comprehensive defensive strategies that incorporate user education and network segmentation.
Collectively, these security episodes emphasize that the threat landscape is dynamic and complex but that decisive, proactive measures can mitigate risks and protect digital environments from exploitation.
Organizations committed to robust security postures will benefit from closely monitoring vulnerability disclosures, maintaining rigorous patch cycles, and fostering security-aware cultures, thereby turning the tide against evolving cyber threats.
References
Source: Eight days from patch to exploitation for Microsoft flaw
The CVE-2025-24054 Vulnerability and Its Rapid Exploitation
CVE-2025-24054 is a vulnerability that arises due to external control over file names or paths processed by Windows’ handling of SCF (Shell Command File) files. This flaw enables attackers to trigger an outbound SMB (Server Message Block) authentication attempt that leaks the victim's Net-NTLMv2 or NTLMv2-SSP hash over the network. This hash leakage empowers attackers to perform offline brute-force attacks or mount relay attacks, allowing them to impersonate users and gain unauthorized access to network resources.Microsoft had rated this vulnerability as “less likely” to be exploited, potentially due to the subtlety and specific conditions required for exploitation. Yet, just eight days after the March Patch Tuesday release, attackers began aggressively incorporating the flaw into malware campaigns targeting governmental and private sector entities in Poland and Romania. They used phishing emails containing Dropbox-hosted ZIP archives, which included a specially crafted ".library-ms" file exploiting this vulnerability. Merely unzipping or viewing the infected folder in Windows Explorer would send out the victim’s NTLM hash to a remote attacker server.
Remarkably, Check Point researchers flagged that the exfiltrated NTLM hashes were funneling to an IP address previously associated with the Russia-backed hacking group Fancy Bear (APT28), although no further definitive links were established.
By mid-March, the attack vector evolved: emails started carrying standalone ".library-ms" files, further lowering the bar for user interaction needed to trigger the exploit. According to Microsoft, this could be triggered with minimal interaction, such as selecting or right-clicking the malicious file, making the vulnerability particularly dangerous.
The malware campaign quickly gained scale and geographic spread. By March 25, ten separate campaigns were identified, each aiming to harvest NTLMv2 hashes and exfiltrate them to attacker-controlled SMB servers globally—including servers in Russia, Bulgaria, the Netherlands, Australia, and Turkey. This rapid and widespread exploitation served as a stark reminder of how quickly vulnerabilities, even those deemed less likely to be exploited, can become active threats.
The Intricacies and Legacy of NTLM
NTLM has been a long-standing authentication protocol in Windows environments, originally designed to facilitate challenge-response authentication using cryptographic hashes of user passwords. Despite Microsoft’s ongoing recommendations to move away from NTLM due to its inherent weaknesses, legacy support and backward compatibility have mandated its continued presence in many enterprise networks.The protocol is vulnerable to various attack types, including relay and brute-force attacks facilitated by hash capture. CVE-2025-24054 exploits how Windows handles SCF files to prompt authentication calls that leak the hashed credentials unwittingly. This weakness reaffirms NTLM’s status as a fragile security component amid modern cybersecurity challenges.
Following the incident, security professionals emphasized the urgent need to migrate away from NTLM or at least harden its deployment. Microsoft’s planned deprecation of NTLMv1 support in Windows Server 2025 and recommended use of Kerberos and extended protection mechanisms reinforce this strategic direction to improve authentication security.
The Apple Zero-Day Patch: Parallel Sophistication in Threat Landscape
In the same broader timeframe, Apple also addressed critical zero-day vulnerabilities in its iOS and iPadOS 18.4.1 updates, underscoring a global trend of increasingly sophisticated targeted attacks. One vulnerability caused memory corruption in CoreAudio, potentially allowing arbitrary code execution via malicious media files. This bug was jointly reported by Apple and Google's Threat Analysis Group.Another fix patched a flaw in Apple's Return Pointer Authentication Code (RPAC), a security mechanism preventing pointer manipulation; the flaw could allow attackers with arbitrary read/write privileges to bypass protections. Apple’s prompt mitigation involved removing vulnerable code segments.
Apple characterized these exploits as parts of “extremely sophisticated” attacks on targeted individuals, reflecting how attackers are harnessing vulnerabilities across platforms in complex, cross-vectored campaigns. For Windows and Apple users alike, this signals the urgent need for diligent, timely patch management across heterogeneous device ecosystems.
Lessons and Best Practices for Organizations
This convergence of sophisticated attacks exploiting both Windows and Apple vulnerabilities sheds light on modern threat actor strategies: they combine social engineering (e.g., phishing), novel exploitation of subtle OS file handling and authentication flaws, and global coordination of malware campaigns.Organizations and individual users should take several critical steps to mitigate such threats effectively:
- Immediate Patch Deployment: The rapid exploitation of CVE-2025-24054 highlights the necessity of promptly applying patches, even for vulnerabilities perceived as low-risk. Delay directly translates into exposure.
- Mitigate NTLM Usage: Where feasible, transition away from NTLM authentication. Use stronger protocols like Kerberos and deploy Extended Protection for Authentication (EPA) and LDAP channel binding to reduce risks of relay attacks.
- User Awareness and Phishing Defense: Since attackers leveraged phishing emails with malicious attachments, investing in user training on identifying and avoiding phishing attempts remains paramount.
- Network Segmentation and Monitoring: Restrict SMB and related authentication traffic where possible and monitor network traffic for unusual authentication attempts or exfiltration patterns.
- Cross-Platform Vigilance: Recognize that modern cyber threats cross device and OS boundaries. Patch management strategies must encompass the full range of platforms utilized within organizations.
- Apply Defense in Depth: Combine endpoint detection and response (EDR) with intrusion detection systems and regular vulnerability scanning to build layered defenses against evolving techniques.
The Broader Security Context
This incident also spotlights a recurring theme in cybersecurity: legacy protocols and systems embedded deeply in infrastructure become Achilles’ heels if not proactively addressed. NTLM's persistence has enabled a significant attack surface despite decades of known protocol shortcomings.Similarly, zero-day exploits in contemporary, widely used software like iOS demonstrate evolving attacker sophistication and the need for coordinated defense efforts between vendors, researchers, and enterprise IT teams.
Microsoft's and Apple’s responses—including detailed advisories and patch releases—exemplify the critical role of vendor responsiveness. Still, the incident underscores that cybersecurity is a shared responsibility requiring immediacy, vigilance, and investment from all stakeholders.
Conclusion
The rapid exploitation of the Windows NTLM hash-leaking vulnerability CVE-2025-24054 within days of Microsoft’s March 2025 Patch Tuesday reveals enduring challenges in securing legacy authentication protocols and patch deployment practices. At the same time, Apple’s parallel zero-day patches illustrate a multi-front battle against sophisticated adversaries targeting a variety of platforms.For Windows users, the incident serves as a wake-up call to prioritize NTLM hardening or migration, apply patches without delay, and adopt comprehensive defensive strategies that incorporate user education and network segmentation.
Collectively, these security episodes emphasize that the threat landscape is dynamic and complex but that decisive, proactive measures can mitigate risks and protect digital environments from exploitation.
Organizations committed to robust security postures will benefit from closely monitoring vulnerability disclosures, maintaining rigorous patch cycles, and fostering security-aware cultures, thereby turning the tide against evolving cyber threats.
References
- Details on CVE-2025-24054 NTLM hash-leaking vulnerability and exploitation campaigns are discussed in user-uploaded forum data and summarized at The Register’s April 21, 2025 article , .
- Analysis of Windows and Apple patches providing fixes for zero-day vulnerabilities in March-April 2025 are available in the user-uploaded data .
Source: Eight days from patch to exploitation for Microsoft flaw
