Windows NTLM Credentials Under Siege New Exploit Targets File Downloads

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is raising the alarm about a Windows security flaw. On Thursday, they added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, meaning it's being actively exploited in the real world.

So what's the deal? The flaw, tracked as CVE-2025-24054 (rated as medium severity), is a spoofing bug related to Windows New Technology LAN Manager (NTLM). Microsoft patched it last month as part of their usual Patch Tuesday updates.

NTLM is an older authentication protocol – think of it as a bit of a legacy system. Microsoft actually wants to move away from it, preferring Kerberos. The problem is, hackers have found ways to abuse NTLM for years, using techniques like pass-the-hash attacks to steal NTLM hashes and cause further damage.

"Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network," CISA warned.

Microsoft explained that this vulnerability can be triggered by simply interacting with a specially crafted .library-ms file. We're talking about actions as simple as "selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file."

Kudos to Rintaro Koike from NTT Security Holdings, 0x6rss, and j00sean for finding and reporting the problem!

Even though Microsoft initially thought exploitation was "Less Likely," Check Point has discovered active exploitation since March 19. This allows attackers to potentially grab NTLM hashes (or even user passwords!) and break into systems.

"Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania," said Check Point. The attackers used malicious emails with a Dropbox link, which contained an archive exploiting several known vulnerabilities, including CVE-2025-24054, to steal NTLMv2-SSP hashes.

This flaw is considered a variant of CVE-2024-43451, which Microsoft fixed back in November 2024. That one was also used in attacks against Ukraine and Colombia by groups like UAC-0194 and Blind Eagle.

Check Point notes that the malicious file is often distributed in ZIP archives. Just downloading and extracting the archive can cause Windows Explorer to send an SMB authentication request to a remote server, leaking the user's NTLM hash without any further user interaction.

Another phishing campaign, spotted around March 25, 2025, delivered a file called "Info.doc.library-ms" without any compression. Since the initial wave of attacks, at least 10 campaigns have been observed, all trying to steal NTLM hashes.

"These attacks leveraged malicious .library-ms files to collect NTLMv2 hashes and escalate the risk of lateral movement and privilege escalation within compromised networks," Check Point explained.

The key takeaway? "This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments. The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks."

Federal agencies have until May 8, 2025, to apply the necessary fixes to protect their networks.