Overview

On March 11, 2025, Microsoft released its Patch Tuesday updates, addressing multiple vulnerabilities across its software suite. Among these, CVE-2025-24054—a Windows NTLM hash disclosure vulnerability—has garnered significant attention due to its rapid exploitation in the wild. This flaw allows attackers to capture NTLMv2 hashes with minimal user interaction, posing a substantial risk to Windows systems.

Background on NTLM and CVE-2025-24054

Understanding NTLM

NTLM (NT LAN Manager) is an authentication protocol used in Windows environments to facilitate challenge-response authentication. Despite its longstanding presence, NTLM has been criticized for security weaknesses, particularly its susceptibility to relay attacks and hash interception. Microsoft has been advocating for the transition to more secure protocols like Kerberos; however, NTLM remains prevalent in many systems due to legacy support requirements.

Details of CVE-2025-24054

CVE-2025-24054 is a vulnerability that enables attackers to leak NTLMv2 hashes through specially crafted INLINECODE0 files. When a user interacts with such a file—by extracting a ZIP archive containing it, right-clicking, or merely navigating to its folder—Windows Explorer initiates an SMB (Server Message Block) authentication request to a remote server controlled by the attacker. This process inadvertently exposes the user's NTLMv2 hash, which can be exploited for unauthorized access.

Exploitation Timeline and Attack Campaigns

Initial Exploitation

Despite Microsoft's release of a patch on March 11, 2025, threat actors began exploiting CVE-2025-24054 as early as March 19, 2025. Check Point Research observed multiple campaigns leveraging this vulnerability, with attackers targeting government and private institutions in Poland and Romania. These campaigns utilized phishing emails containing Dropbox links to archives that, when extracted, triggered the vulnerability, leading to NTLMv2 hash leakage.

Evolution of Attack Methods

Initially, the exploit was activated upon extracting the malicious INLINECODE1 file from a ZIP archive. However, subsequent campaigns demonstrated that even minimal user interactions—such as right-clicking or navigating to the folder containing the file—could trigger the exploit. This low interaction threshold significantly increases the risk of inadvertent activation by users.

Technical Analysis

Mechanism of Exploitation

The vulnerability exploits Windows Explorer's handling of INLINECODE2 files. When such a file is processed, it can initiate an SMB authentication request to a specified remote server. An attacker crafts the INLINECODE3 file to point to an SMB server under their control. Upon interaction, the victim's system sends an authentication request, including the NTLMv2 hash, to the attacker's server.

Potential Impact

Once an attacker obtains the NTLMv2 hash, they can:

  • Perform Offline Brute-Force Attacks: Attempt to crack the hash to retrieve the plaintext password.
  • Conduct Relay Attacks: Use the hash to authenticate to other services, impersonating the victim without needing the actual password.

The severity of these attacks escalates if the compromised account has elevated privileges, potentially leading to full domain compromise.

Implications and Recommendations

Organizational Impact

The rapid exploitation of CVE-2025-24054 underscores the critical need for prompt patch management. Organizations relying on NTLM for authentication are particularly vulnerable, especially if they have not applied the latest security updates.

Mitigation Strategies

To protect against this vulnerability, organizations should:

  1. Apply Security Patches Promptly: Ensure that all systems are updated with the latest patches released by Microsoft.
  2. Disable NTLM Where Possible: Transition to more secure authentication protocols like Kerberos to reduce reliance on NTLM.
  3. Implement Network Segmentation: Limit the exposure of critical systems by segmenting networks and restricting SMB traffic where feasible.
  4. Enhance User Awareness: Educate users about the risks of interacting with unknown files and the importance of reporting suspicious emails.

Conclusion

CVE-2025-24054 represents a significant threat due to its ease of exploitation and the potential for widespread impact. The swift action by attackers following the patch release highlights the importance of proactive security measures and the need for organizations to stay vigilant against emerging threats.

Reference Links

Tags

  • active threat campaigns
  • authentication flaws
  • cve-2025-24054
  • cyber attack campaigns
  • cybersecurity
  • hash leaking attack
  • legacy authentication protocols
  • microsoft patch tuesday
  • network security
  • ntlm vulnerability
  • pass-the-hash
  • patch management
  • security best practices
  • security mitigation strategies
  • security patches
  • smb protocol risks
  • targeted cyberattacks
  • vulnerability exploitation
  • windows security
  • zero-day vulnerabilities