A critical zero-day vulnerability, identified as CVE-2025-24054, has been discovered in Microsoft Windows, affecting all supported versions, including Windows 10, Windows 11, and Windows Server editions. This flaw poses a significant threat by enabling attackers to extract NTLM (New Technology LAN Manager) authentication hashes with minimal user interaction, potentially leading to unauthorized access and lateral movement within networks.

Background on NTLM and the Vulnerability

NTLM is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. Despite its foundational role in Windows authentication, NTLM has been criticized for its security weaknesses, including susceptibility to replay and relay attacks. CVE-2025-24054 exploits an "external control of file name or path" issue within Windows' handling of NTLM, specifically targeting SCF (Shell Command File) files—a Windows Shell Command file format. This vulnerability allows attackers to craft malicious files that, upon user interaction—such as viewing a folder in Windows Explorer—cause the system to leak the user's NTLMv2-SSP hash to an attacker-controlled server. These hashes can then be brute-forced offline or used in relay attacks to impersonate the user within the network, potentially granting unauthorized access and actions under the victim's credentials. (research.checkpoint.com)

Exploitation and Impact

The exploitation of CVE-2025-24054 has been observed in the wild since March 19, 2025. Attackers have utilized phishing emails to distribute malicious ZIP archives containing specially crafted INLINECODE0 files. Upon extraction or even simple interaction with these files, Windows Explorer initiates SMB (Server Message Block) authentication requests to remote servers controlled by the attackers, inadvertently leaking NTLMv2-SSP hashes. These hashes can be exploited to perform pass-the-hash attacks, facilitating lateral movement within compromised networks and access to sensitive data or systems. (research.checkpoint.com)

Mitigation Strategies

Microsoft released a security patch addressing CVE-2025-24054 on March 11, 2025. Organizations and individuals are strongly advised to apply this update immediately to mitigate the risk associated with this vulnerability. In addition to patching, the following measures are recommended:

  • Disable NTLM Authentication: Where possible, disable NTLM authentication in favor of more secure protocols like Kerberos to reduce the risk of hash leaks. (secure-iss.com)
  • Implement Network Protections: Block outbound SMB connections to untrusted networks and enable SMB signing and NTLM relay protections to prevent unauthorized authentication attempts. (secure-iss.com)
  • User Education: Educate users about the risks of interacting with unsolicited files, especially those received via email, and encourage cautious handling of unexpected attachments. (secure-iss.com)

Conclusion

The discovery and active exploitation of CVE-2025-24054 underscore the critical importance of timely patching and robust security practices. By implementing the recommended mitigation strategies, organizations can significantly reduce the risk of credential theft and enhance their overall cybersecurity posture.