The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a moderately radical security flaw affecting Microsoft windows to its known exploited vulnerabilities (KEV) catalogue, following reports of aggressive wild exploitation.
The vulnerability assigned the CVE Identifier CVE-2025-24054 (CVSS score: 6.5) is a Windows New Technology LAN Manager (NTLM) Hash disclosure spoofing bug that Microsoft patched last month as part of patch Tuesday’s update.
NTLM is a legacy authentication protocol officially discontinued last year in favor of Kerberos. In recent years, threat actors have found various ways to extract NTLM hash for subsequent attacks, using technologies such as Pass the Hash and Relay attacks.
“Microsoft Windows NTLM contains external controls for filename or path vulnerabilities that allow rogue attackers to spoof on the network,” CISA said.
In a bulletin released in March, Microsoft said that minimal interaction with specially created .Library-MS files could trigger the vulnerability, such as “selection (single click) (right click), performing actions other than opening or running a file.”
Tech Giant also praised NTT Security Holdings, 0x6RSS, and J00Sean for discovering and reporting the defect to Rintaro Koike.
Microsoft gave CVE-2025-24054 a “Low Possibility of Exploitation” rating, but security flaws have been under aggressive exploitation since March 19th on a checkpoint basis, allowing bad actors to leak NTLM hash or user passwords and infiltration systems.
“Around March 20-21, 2025, we will target campaigns targeting governments and private institutions in Poland and Romania,” the cybersecurity company said. “The attacker used Malspam to distribute a dropbox link containing an archive that exploits multiple known vulnerabilities, including CVE-2025-24054, to harvest the NTLMV2-SSP hash.”
The flaw is rated as a variant of CVE-2024-43451 (CVSS score: 6.5), patched by Microsoft in November 2024, and is armed in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.
According to Check Point, the files are distributed by ZIP archives, and Windows Explorer initiates an SMB authentication request to a remote server, leaking the user’s NTLM hashtag without user interaction when downloading and extracting the archive’s content.
That being said, another phishing campaign recently observed on March 25, 2025, found that it was delivering a file named “info.doc.library-ms” without compression. Since the first wave of attacks, over 10 campaigns have been observed with the ultimate goal of obtaining NTLM hashts from target victims.
“These attacks leverage malicious .library-MS files to collect NTLMV2 hashs and escalate the risk of lateral movement and privilege escalation within the compromised network,” Checkpoint said.
“This rapid exploitation highlights the critical needs of organizations to quickly apply patches and ensure that NTLM vulnerabilities are addressed in the environment. By allowing exploits to trigger and allowing attackers to access the NTLM hash, it becomes a critical threat, especially if such hashs can be used in hash attacks.”
The Federal Private Enforcement Sector (FCEB) agency must apply necessary corrections to the shortcomings by May 8, 2025 to ensure networks in light of active exploitation.
Source link
