CVE-2025-24054 Critical NTLM Hash Flaw

CVE-2025-24054 Critical NTLM Hash Flaw

No Comments

CVE-2025-24054 is a high-severity NTLM authentication vulnerability that allows attackers to leak NTLMv2-SSP (Security Support Provider) hashes through spoofing techniques. The exploitation relies on maliciously crafted .library-ms files, which can force Windows Explorer to initiate SMB authentication requests to an attacker-controlled server, exposing user credentials. This vulnerability poses serious risks, enabling credential theft, lateral movement, and unauthorized system access.

Technical Overview

1. Affected Systems

  • All supported versions of Windows (including Windows Server editions) are vulnerable.
  • Microsoft released an official security patch on March 11, 2025, addressing the flaw.
  • Despite the patch, attackers began actively exploiting the vulnerability within eight days, launching real-world attacks.

2. Root Cause of the Vulnerability

  • This vulnerability stems from improper session management within NTLM authentication over SMB (Server Message Block).
  • A specially crafted .library-ms file (a Windows Library file) is used to trigger an unauthorized NTLM authentication request, leading the system to disclose NTLMv2-SSP hashes to a remote attacker-controlled server.
  • These hashes can then be brute-forced offline or used directly in pass-the-hash (PtH) attacks to bypass authentication mechanisms.

3. Exploitation Mechanism

Malicious .library-ms File Deployment:

  • Attackers distribute .library-ms files via phishing emails, compromised websites, or shared file archives.
  • The file doesn’t need to be opened—merely navigating to a folder containing the file triggers the exploit.

Automatic SMB Authentication Initiation:

  • When a user interacts with the .library-ms file (right-click, drag, or browse), Windows Explorer silently initiates an SMB authentication request to the attacker’s remote SMB server.
  • This interaction results in the victim’s NTLMv2-SSP hash being sent to the attacker.

Credential Theft and Brute Force Attacks:

  • The attacker captures the NTLM hash and can:
    • Attempt offline brute-force attacks to retrieve the plaintext password.
    • Use pass-the-hash techniques to authenticate on other systems without needing the password itself.
    • Relay NTLM authentication requests to escalate access privileges within an organization’s network.

Observed Attack Campaigns

  • March 20–21, 2025: A targeted campaign affected government agencies and private organizations in Poland and Romania.
  • Attackers used Dropbox-hosted archives containing malicious .library-ms files to harvest NTLM hashes.
  • Collected credentials were transmitted to attack servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey.
  • Security researchers confirmed weaponized exploits were circulating in underground forums, indicating widespread adoption of this technique.

Potential Impact of CVE-2025-24054

1. Unauthorized Credential Theft

  • Any user whose NTLM hash is leaked becomes vulnerable to account compromise.
  • Attackers can target administrative accounts to gain privileged access.

2. Privilege Escalation and Lateral Movement

  • Attackers can pivot within a corporate network using pass-the-hash techniques, allowing them to escalate privileges without needing the actual password.

3. Network Compromise and Organizational Threats

  • Affected companies face data exfiltration risks, unauthorized system modifications, and potential ransomware deployment following credential theft.

4. Multi-Stage Cyber Attacks

  • Ransomware groups may leverage CVE-2025-24054 to gain initial access, followed by widespread system encryption to demand ransom payments.

Mitigation Strategies

1. Apply Microsoft’s Security Patch

  • Update Windows to the latest security patch (March 11, 2025) to block unauthorized NTLM authentication requests.

2. Disable NTLM Authentication Over SMB

  • Configure Group Policy to restrict NTLM authentication, preventing malicious servers from collecting NTLM hashes.

3. Implement Network Monitoring and Threat Detection

  • Use Intrusion Detection Systems (IDS) or SIEM solutions to monitor SMB authentication traffic for anomalies.
  • Track unusual outbound NTLM authentication attempts to unknown external IP addresses.

4. Enhance User Awareness and Phishing Protection

  • Educate employees about malicious .library-ms files, warning them against interacting with unknown archive contents.
  • Enforce email security protocols such as attachment scanning and sandbox execution.

5. Enforce Strong Authentication Mechanisms

  • Implement multi-factor authentication (MFA) to protect accounts even if an NTLM hash is stolen.
  • Enforce Kerberos authentication instead of NTLM for securing internal authentication workflows.

Final Thoughts

CVE-2025-24054 is a dangerous NTLM authentication vulnerability that allows attackers to steal NTLMv2-SSP hashes silently, enabling pass-the-hash attacks and lateral movement within corporate networks. Organizations must apply security patches immediately, disable NTLM authentication where possible, and deploy threat monitoring tools to prevent exploitation.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.