Attacks Targeted the New Windows NTLM Vulnerability
Check Point has alerted that hackers began to exploit a Windows NTLM vulnerability about a week after patches were released last month. The issue, identified as CVE-2025-24054, has a CVSS score of 6.5 and was addressed in March 2025. While it is not extremely dangerous, it can allow attackers to steal NTLM hashes, enabling them to impersonate users on a network.
Check Point has alerted that hackers began to exploit a Windows NTLM vulnerability about a week after patches were released last month. The issue, identified as CVE-2025-24054, has a CVSS score of 6.5 and was addressed in March 2025. While it is not extremely dangerous, it can allow attackers to steal NTLM hashes, enabling them to impersonate users on a network.
Microsoft's advisory explains that exploiting this vulnerability doesn't require much user involvement. Merely clicking or right-clicking a harmful file can trigger the security flaw.
About a week after the patch was released for CVE-2025-24054, attackers started using it to target government and private entities in Poland and Romania, as reported by Check Point.
This vulnerability occurs when a user opens a ZIP file containing a malicious .library-ms file. This action prompts Windows Explorer to initiate an SMB authentication request to a remote server, which in turn leaks the user’s NTLM hash without any interaction from the user.
Once the NTLM hash is exposed, it can be used by attackers to conduct brute-force attacks to figure out the user’s password or relay attacks. Depending on the access level of the compromised account, attackers might move across the network, gain higher privileges, and potentially take over the network.
Even though Microsoft did not label CVE-2025-24054 as being actively exploited, Check Point observed around twelve attacks targeting this flaw between March 19 and March 25. The stolen NTLM hashes ended up on servers in different countries including Australia, Bulgaria, the Netherlands, Russia, and Turkey.
One major attack took place around March 20–21, 2025, targeting Polish and Romanian government bodies and private organizations. The method used involved email phishing links, which led victims to download a harmful file from Dropbox. Inside the file, there was a reference to CVE-2024-43451, another NTLM vulnerability exploited by Russian hackers, as well as an SMB server linked with the Russian group APT Fancy Bear, also known as APT28, Forest Blizzard, and Sofacy.
In at least one instance on March 25, Check Point found that the malicious .library-ms file was shared without being zipped.
On Thursday, the US cybersecurity agency CISA added CVE-2025-24054 to its Known Exploited Vulnerabilities list. Under BOD 22-01, federal agencies are required to fix this flaw by May 8, but CISA strongly urges all organizations to swiftly address the vulnerabilities listed in the catalog.
