Introduction

In March 2025, Microsoft released a security update addressing CVE-2025-24054, a vulnerability in Windows NTLM authentication initially deemed "less likely" to be exploited. However, within days, this flaw became the focal point of widespread cyberattacks, underscoring the unpredictable nature of cybersecurity threats.

Understanding CVE-2025-24054

CVE-2025-24054 is a vulnerability that allows attackers to leak NTLM hashes through spoofing. Exploitation requires minimal user interaction—actions as simple as right-clicking or navigating to a folder containing a malicious INLINECODE0 file can trigger the flaw. Once exploited, attackers can capture NTLMv2-SSP hashes, potentially leading to unauthorized access and privilege escalation.

The Exploitation Timeline

  • March 11, 2025: Microsoft releases a patch for CVE-2025-24054.
  • March 19, 2025: Active exploitation begins, with attackers targeting government and private institutions in Poland and Romania.
  • March 20–21, 2025: Phishing campaigns distribute malicious INLINECODE1 files via Dropbox links, exploiting the vulnerability to harvest NTLM hashes.
  • March 25, 2025: Approximately ten additional campaigns are observed, indicating rapid proliferation of the exploit.

Technical Details

The exploitation involves:

  1. Phishing Emails: Victims receive emails containing links to ZIP archives hosted on platforms like Dropbox.
  2. Malicious Files: The archives contain INLINECODE2 files crafted to exploit CVE-2025-24054.
  3. Minimal Interaction: Simply extracting or previewing the archive triggers an SMB authentication request to an attacker-controlled server, leaking the user's NTLM hash.

Captured NTLM hashes can be brute-forced offline or used in relay attacks, allowing attackers to impersonate users and gain unauthorized access to network resources.

Implications and Impact

The rapid exploitation of CVE-2025-24054 highlights several critical issues:

  • Underestimation of Risk: Initially classified as low-risk, the vulnerability's swift exploitation demonstrates the need for reassessing risk evaluations.
  • Legacy Protocol Vulnerabilities: NTLM's continued use, despite known weaknesses, poses significant security risks.
  • Global Reach: The attacks targeted entities across multiple countries, indicating a coordinated and widespread threat.

Mitigation Strategies

To protect against such vulnerabilities, organizations should:

  • Apply Patches Promptly: Ensure all systems are updated with the latest security patches.
  • Disable NTLM: Where possible, disable NTLM authentication in favor of more secure protocols like Kerberos.
  • User Education: Train users to recognize phishing attempts and avoid interacting with suspicious files.
  • Network Protections: Implement SMB signing and NTLM relay protections to prevent unauthorized authentication.

Conclusion

The case of CVE-2025-24054 serves as a stark reminder of how quickly a seemingly low-risk vulnerability can escalate into a global cyber threat. It underscores the importance of proactive security measures, timely patching, and continuous vigilance in the ever-evolving landscape of cybersecurity.