On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a medium-severity security vulnerability in Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows reports indicating that the flaw is actively being exploited in real-world scenarios.
The vulnerability, identified as CVE-2025-24054, received a CVSS score of 6.5. It pertains to a spoofing bug that allows for NTLM hash disclosure, a legacy authentication protocol that Microsoft deprecated last year in favor of Kerberos. This specific vulnerability had been resolved by Microsoft in a Patch Tuesday update last month, yet nefarious actors have since sought to exploit it.
Threat actors have employed various techniques to exploit NTLM, including pass-the-hash and relay attacks, to extract NTLM hashes for further attacks. CISA has highlighted that this vulnerability permits unauthorized access, enabling attackers to perform network spoofing.
In a separate bulletin released in March, Microsoft elaborated that minimal user interaction can trigger this vulnerability through specially crafted .library-ms files. Such interactions could include seemingly benign actions like single-clicking or right-clicking the file, even without the need to open or execute it.
Recognizing the significance of this security issue, Microsoft acknowledged the contributions of Rintaro Koike from NTT Security Holdings, as well as researchers 0x6rss and j00sean, for identifying and reporting the flaw. Despite an initial exploitability assessment suggesting that exploitation was “Less Likely,” active exploitation had been reported beginning March 19, according to cybersecurity firm Check Point.
Recent intelligence indicates that a campaign launched around March 20–21, 2025, targeted government and private institutions in Poland and Romania. Attackers notably relied on malspam techniques to disseminate an archive via Dropbox, exploiting CVE-2025-24054 to harvest sensitive NTLMv2-SSP hashes.
This vulnerability can be seen as a variant of CVE-2024-43451, which was patched previously in November 2024. Cyber adversaries have previously weaponized this vulnerability in attacks against entities in Ukraine and Colombia, utilizing various techniques from the MITRE ATT&CK framework such as initial access and exploitation of external remote services.
Further developments indicate that as recently as March 25, 2025, phishing campaigns have continued to exploit this vulnerability, evidenced by the delivery of a file named “Info.doc.library-ms” without compression. Since the initial wave of attacks, no fewer than ten campaigns have been recorded, all aiming to retrieve NTLM hashes from targeted victims.
Check Point has underscored that these attacks leverage malicious .library-ms files to collect NTLMv2 hashes, thereby heightening risks related to lateral movement and privilege escalation within compromised networks. Given the ease of exploiting this vulnerability with minimal user intervention, organizations are urged to apply the necessary patches immediately and effectively mitigate risks associated with NTLM vulnerabilities.
As a precautionary measure in response to the active exploitation of this flaw, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement necessary security measures by May 8, 2025, to safeguard their networks.
