Overview

In March 2025, Microsoft addressed a critical security vulnerability, CVE-2025-24054, within its Windows operating system. This flaw, involving the NT LAN Manager (NTLM) authentication protocol, allows attackers to capture NTLM hashes through minimal user interaction, posing significant security risks. Despite the release of a patch on March 11, 2025, threat actors began exploiting this vulnerability within days, underscoring the necessity for prompt patch application and robust security practices.

Background on NTLM and CVE-2025-24054

NTLM is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. However, NTLM has been criticized for vulnerabilities that can be exploited through techniques like pass-the-hash and relay attacks. CVE-2025-24054 specifically pertains to a flaw where Windows Explorer's handling of INLINECODE0 files can be manipulated to leak NTLMv2 hashes. An attacker can craft a malicious INLINECODE1 file that, when interacted with—even through actions as simple as right-clicking or previewing—triggers an SMB authentication request to a remote server controlled by the attacker, thereby exposing the user's NTLM hash. (research.checkpoint.com)

Exploitation Timeline and Attack Campaigns

Shortly after Microsoft's patch release, security researchers observed active exploitation of CVE-2025-24054. By March 19, 2025, attackers initiated campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized phishing emails containing links to Dropbox-hosted ZIP archives. Upon extraction, these archives revealed malicious INLINECODE2 files designed to exploit the vulnerability, leading to the leakage of NTLMv2 hashes. Notably, some of the malicious servers used in these attacks were traced back to infrastructure previously associated with the Russian state-sponsored group APT28, also known as Fancy Bear. (bleepingcomputer.com)

Technical Details of the Vulnerability

The exploitation of CVE-2025-24054 involves the following steps:

  1. Crafting the Malicious File: An attacker creates a INLINECODE3 file containing a reference to a remote SMB server under their control.
  2. Delivery to the Victim: The malicious file is delivered to the target via phishing emails or other social engineering tactics.
  3. User Interaction: Minimal interaction, such as selecting or right-clicking the file, triggers Windows Explorer to initiate an SMB authentication request.
  4. NTLM Hash Capture: The authentication request sends the user's NTLMv2 hash to the attacker's server, enabling potential offline brute-force attacks or relay attacks for unauthorized access.

This method of exploitation is particularly concerning due to the minimal user interaction required, making it easier for attackers to execute successful campaigns. (research.checkpoint.com)

Implications and Impact

The rapid exploitation of CVE-2025-24054 highlights several critical issues:

  • Speed of Exploitation: The short window between patch release and active exploitation demonstrates how quickly threat actors can weaponize vulnerabilities.
  • Legacy Protocol Vulnerabilities: The continued use of NTLM, despite its known weaknesses, underscores the risks associated with legacy authentication protocols.
  • Minimal User Interaction: The ease with which this vulnerability can be exploited emphasizes the need for user education and awareness regarding phishing and social engineering tactics.

Organizations failing to promptly apply patches and mitigate such vulnerabilities risk significant security breaches, including unauthorized access, data exfiltration, and potential full domain compromise. (securityweek.com)

Mitigation Strategies

To protect against CVE-2025-24054 and similar vulnerabilities, organizations should implement the following measures:

  1. Apply Security Patches Promptly: Ensure that all systems are updated with the latest security patches released by Microsoft.
  2. Disable NTLM Where Possible: Transition to more secure authentication protocols like Kerberos to reduce reliance on NTLM.
  3. Restrict SMB Traffic: Implement firewall rules to block outbound SMB traffic to untrusted networks, preventing NTLM hash leakage.
  4. User Education: Train employees to recognize and avoid phishing attempts and suspicious file interactions.
  5. Monitor Network Activity: Deploy intrusion detection systems to identify and respond to unusual authentication requests or SMB traffic patterns.

By adopting these strategies, organizations can enhance their security posture and mitigate the risks associated with NTLM vulnerabilities. (1898advisories.burnsmcd.com)

Conclusion

The exploitation of CVE-2025-24054 serves as a stark reminder of the importance of timely patch management and the dangers posed by legacy authentication protocols. Organizations must remain vigilant, ensuring that security updates are applied promptly and that users are educated about potential threats. Transitioning away from vulnerable protocols like NTLM and implementing comprehensive security measures are essential steps in safeguarding against evolving cyber threats.