Introduction

A newly identified security vulnerability, CVE-2025-24054, has emerged as a significant threat to Windows systems, particularly concerning the NT LAN Manager (NTLM) authentication protocol. This flaw enables attackers to capture NTLM hashes with minimal user interaction, thereby facilitating unauthorized access and potential system compromise.

Background on NTLM Authentication

NTLM is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. Despite its widespread use, NTLM has been criticized for vulnerabilities that can be exploited through techniques such as pass-the-hash attacks, where attackers use captured hash values to authenticate without knowing the actual passwords.

Technical Details of CVE-2025-24054

CVE-2025-24054 is a spoofing vulnerability that allows attackers to leak NTLMv2-SSP hashes via specially crafted INLINECODE0 files. When a user interacts with such a file—by actions as simple as selecting or right-clicking—Windows Explorer initiates an SMB authentication request to a remote server controlled by the attacker. This process inadvertently discloses the user's NTLM hash, which can then be exploited for unauthorized access.

Exploitation in the Wild

Active exploitation of CVE-2025-24054 has been observed since March 19, 2025. Notably, phishing campaigns targeting government and private institutions in Poland and Romania have utilized this vulnerability. Attackers distributed malicious INLINECODE1 files via email, leading to the leakage of NTLM hashes upon minimal user interaction. These hashes were then collected on attacker-controlled SMB servers located in various countries, including Russia and Bulgaria.

Implications and Impact

The exploitation of this vulnerability poses severe risks, including:

  • Credential Theft: Attackers can capture NTLM hashes, potentially leading to unauthorized access to sensitive information.
  • Lateral Movement: With obtained credentials, attackers can move laterally within a network, compromising additional systems.
  • Privilege Escalation: If the compromised account has elevated privileges, attackers can escalate their access, leading to further system compromise.

Mitigation Strategies

To protect against CVE-2025-24054, organizations should implement the following measures:

  1. Apply Security Patches: Ensure that all Windows systems are updated with the latest security patches released by Microsoft on March 11, 2025.
  2. Disable NTLM Authentication: Where possible, disable NTLM authentication to reduce the risk of hash leaks.
  3. Implement Network Protections: Block outbound SMB connections to untrusted networks and enable SMB signing and NTLM relay protections.
  4. User Education: Educate users about the risks of interacting with unsolicited files, especially those received via email.

Conclusion

CVE-2025-24054 underscores the persistent risks associated with legacy authentication protocols like NTLM. Organizations must prioritize the application of security patches and consider transitioning to more secure authentication methods to mitigate such vulnerabilities.