Exploitation of Windows NTLM Vulnerability CVE-2025-24054 in Widespread Cyberattacks

Overview

In March 2025, Microsoft released a security update addressing a critical vulnerability in the Windows NT LAN Manager (NTLM) authentication protocol, identified as CVE-2025-24054. Despite being initially rated as "less likely" to be exploited, this vulnerability was rapidly weaponized by threat actors, leading to significant cyberattacks targeting government and private institutions, particularly in Poland and Romania.

Background on NTLM and CVE-2025-24054

NTLM is a suite of Microsoft security protocols designed to provide authentication, integrity, and confidentiality to users. However, NTLM has been criticized for its susceptibility to various attacks, including relay and brute-force attacks. CVE-2025-24054 is a medium-severity vulnerability (CVSS score of 6.5) that allows attackers to perform NTLM hash disclosure, enabling spoofing attacks over a network. Exploitation requires minimal user interaction, such as selecting or right-clicking a malicious file, which can trigger the vulnerability.

Exploitation Details

Shortly after the release of the patch on March 11, 2025, threat actors began exploiting CVE-2025-24054. Between March 19 and March 25, approximately a dozen malicious campaigns were observed targeting this vulnerability. The attacks primarily focused on government and private institutions in Poland and Romania. Attackers used phishing emails containing links to ZIP archives hosted on platforms like Dropbox. These archives included malicious .library-ms files designed to exploit the vulnerability. When a user extracted the ZIP archive, Windows Explorer would initiate an SMB authentication request to a remote server controlled by the attacker, resulting in the leakage of the user's NTLM hash without any further user interaction.

Technical Details

The exploitation process involves the following steps:

1. Phishing Email Distribution: Victims receive emails with links to download ZIP archives containing malicious files.
2. ZIP Archive Extraction: Upon extracting the archive, a specially crafted .library-ms file is placed in the user's system.
3. Automatic SMB Authentication: Windows Explorer processes the .library-ms file, triggering an SMB authentication request to an attacker-controlled server.
4. NTLM Hash Leakage: The user's NTLM hash is transmitted to the attacker's server, allowing for potential offline brute-force attacks or relay attacks.

Implications and Impact

The rapid exploitation of CVE-2025-24054 underscores the persistent risks associated with legacy authentication protocols like NTLM. Attackers can leverage such vulnerabilities to gain unauthorized access, perform lateral movement within networks, and escalate privileges. The involvement of state-sponsored groups, such as APT28 (Fancy Bear), highlights the strategic significance of these attacks.

Mitigation Strategies

To protect against exploitation of CVE-2025-24054, organizations should:

• Apply Security Patches Promptly: Ensure that all systems are updated with the latest security patches released by Microsoft.
• Disable NTLM Authentication: Where possible, disable NTLM and transition to more secure authentication protocols like Kerberos.
• User Education: Train users to recognize phishing attempts and avoid interacting with suspicious files or links.
• Network Monitoring: Implement monitoring solutions to detect unusual SMB authentication requests and potential NTLM hash leaks.

Conclusion

The exploitation of CVE-2025-24054 serves as a critical reminder of the importance of timely patch management and the need to phase out legacy authentication protocols. Organizations must remain vigilant and proactive in their cybersecurity practices to mitigate the risks posed by such vulnerabilities.