Overview

In March 2025, Microsoft released a security update addressing a critical vulnerability in the Windows NT LAN Manager (NTLM) authentication protocol, identified as CVE-2025-24054. Despite being initially rated as "less likely" to be exploited, this vulnerability was actively targeted by threat actors within days of the patch release, leading to significant security concerns for organizations worldwide.

Understanding CVE-2025-24054

CVE-2025-24054 is a vulnerability that allows attackers to leak NTLM hashes through minimal user interaction. Specifically, the flaw can be exploited using a maliciously crafted INLINECODE0 file. When a user interacts with such a file—by selecting, right-clicking, or even just navigating to the folder containing it—Windows Explorer initiates an SMB (Server Message Block) authentication request to a remote server controlled by the attacker. This process inadvertently discloses the user's NTLMv2-SSP hash, which can then be used for unauthorized access or further attacks.

Technical Details

The exploitation process involves the following steps:

  1. Crafting the Malicious File: Attackers create a INLINECODE1 file with a path pointing to a malicious SMB server.
  2. Delivery to Victim: The malicious file is delivered to the target, often through phishing emails containing a ZIP archive.
  3. User Interaction: Minimal interaction, such as extracting the ZIP file or viewing its contents in Windows Explorer, triggers the vulnerability.
  4. Hash Leakage: Windows attempts to authenticate with the remote SMB server, sending the NTLMv2-SSP hash to the attacker's server.
  5. Exploitation: The attacker captures the hash, which can be brute-forced offline or used in relay attacks to impersonate the user.

Implications and Impact

The rapid exploitation of CVE-2025-24054 underscores the critical nature of timely patching and the risks associated with legacy authentication protocols like NTLM. Organizations that have not applied the March 2025 security update are at heightened risk of credential theft, unauthorized access, and potential system compromise.

Recommendations

To mitigate the risks associated with CVE-2025-24054, organizations should:

  • Apply Security Updates Promptly: Ensure that all systems are updated with the latest patches released by Microsoft.
  • Limit NTLM Usage: Where possible, transition to more secure authentication protocols such as Kerberos.
  • Educate Users: Train employees to recognize phishing attempts and avoid interacting with suspicious files.
  • Monitor Network Traffic: Implement monitoring solutions to detect unusual SMB authentication requests and potential hash leakage.

Conclusion

The exploitation of CVE-2025-24054 highlights the evolving tactics of threat actors and the importance of proactive cybersecurity measures. Organizations must remain vigilant, apply security updates without delay, and continuously assess their security posture to defend against emerging threats.