Overview of March 2025 Patch Tuesday

In March 2025, Microsoft released its regular Patch Tuesday updates, addressing a multitude of security vulnerabilities across its software suite. Among these, CVE-2025-24054—a medium-severity flaw affecting the Windows NT LAN Manager (NTLM) authentication protocol—stood out due to its rapid exploitation in the wild. Despite being initially rated as "less likely" to be exploited, this vulnerability quickly became a focal point for cyber attackers.

Understanding CVE-2025-24054

CVE-2025-24054 is a vulnerability that allows attackers to disclose NTLM hashes through spoofing. Specifically, it can be exploited using a maliciously crafted INLINECODE0 file. When a user interacts with such a file—by selecting, right-clicking, or even just navigating to the folder containing it—Windows Explorer may initiate an SMB (Server Message Block) authentication request to a remote server controlled by the attacker. This process inadvertently leaks the user's NTLMv2-SSP hash, which can then be used for brute-force attacks or NTLM relay attacks, potentially leading to unauthorized access and privilege escalation within a network.

Rapid Exploitation in the Wild

Shortly after Microsoft released patches for CVE-2025-24054 on March 11, 2025, threat actors began exploiting the vulnerability. By March 19, active exploitation was observed, with attackers targeting government and private institutions in Poland and Romania. These campaigns often involved phishing emails containing links to Dropbox-hosted archives. When extracted, these archives contained malicious INLINECODE1 files designed to exploit the vulnerability, leading to the leakage of NTLM hashes.

Technical Details and Attack Mechanism

The exploitation of CVE-2025-24054 typically follows these steps:

  1. Delivery: The attacker sends a phishing email with a link to a malicious archive hosted on a legitimate platform like Dropbox.
  2. Extraction: The victim downloads and extracts the archive, which contains a INLINECODE2 file.
  3. Triggering the Vulnerability: Simply viewing the folder or interacting with the file prompts Windows Explorer to initiate an SMB authentication request to the attacker's server.
  4. Hash Leakage: The NTLMv2-SSP hash is sent to the attacker's server, where it can be captured for further exploitation.

This method requires minimal user interaction, making it particularly effective. The attack does not necessitate the opening or execution of a file; mere interaction with the file or folder is sufficient to trigger the vulnerability.

Implications and Impact

The rapid exploitation of CVE-2025-24054 underscores several critical points:

  • Legacy Protocol Vulnerabilities: NTLM, despite being an older authentication protocol, remains in use for backward compatibility. Its inherent weaknesses make it a prime target for attackers.
  • Minimal User Interaction: The attack's success with minimal user actions highlights the need for heightened user awareness and caution when handling files from untrusted sources.
  • Patch Management: The swift exploitation post-patch release emphasizes the importance of timely patch application. Organizations delaying updates may find themselves vulnerable to rapidly evolving threats.

Mitigation Strategies

To protect against exploits like CVE-2025-24054, organizations should consider the following measures:

  • Apply Patches Promptly: Ensure that all systems are updated with the latest security patches from Microsoft.
  • Limit NTLM Usage: Where possible, disable NTLM authentication in favor of more secure protocols like Kerberos.
  • User Education: Train users to recognize phishing attempts and exercise caution with unsolicited emails and attachments.
  • Network Monitoring: Implement monitoring solutions to detect unusual SMB authentication requests and potential hash leakage.
  • Restrict Outbound SMB Traffic: Configure firewalls to block outbound SMB traffic to prevent NTLM hashes from being sent to external servers.

Conclusion

The exploitation of CVE-2025-24054 serves as a stark reminder of the persistent risks associated with legacy authentication protocols and the necessity for proactive security measures. Organizations must remain vigilant, ensuring timely patching, reducing reliance on outdated protocols, and fostering a culture of security awareness to mitigate such threats effectively.