CVE-2025-24054 Critical NTLM Hash Flaw

---

CVE-2025-24054 is a high-severity NTLM authentication vulnerability that allows attackers to leak NTLMv2-SSP (Security Support Provider) hashes through spoofing techniques. The exploitation relies on maliciously crafted .library-ms files, which can force Windows Explorer to initiate SMB authentication requests to an attacker-controlled server, exposing user credentials. This vulnerability poses serious risks, enabling credential theft, lateral movement, and unauthorized system access.

Technical Overview

1. Affected Systems

• All supported versions of Windows (including Windows Server editions) are vulnerable.
• Microsoft released an official security patch on March 11, 2025, addressing the flaw.
• Despite the patch, attackers began actively exploiting the vulnerability within eight days, launching real-world attacks.

2. Root Cause of the Vulnerability

• This vulnerability stems from improper session management within NTLM authentication over SMB (Server Message Block).
• A specially crafted .library-ms file (a Windows Library file) is used to trigger an unauthorized NTLM authentication request, leading the system to disclose NTLMv2-SSP hashes to a remote attacker-controlled server.
• These hashes can then be brute-forced offline or used directly in pass-the-hash (PtH) attacks to bypass authentication mechanisms.

3. Exploitation Mechanism

Malicious .library-ms File Deployment:

• Attackers distribute .library-ms files via phishing emails, compromised websites, or shared file archives.
• The file doesn’t need to be opened—merely navigating to a folder containing the file triggers the exploit.

Automatic SMB Authentication Initiation:

• When a user interacts with the .library-ms file (right-click, drag, or browse), Windows Explorer silently initiates an SMB authentication request to the attacker’s remote SMB server.
• This interaction results in the victim’s NTLMv2-SSP hash being sent to the attacker.

Credential Theft and Brute Force Attacks:

• The attacker captures the NTLM hash and can:
  • Attempt offline brute-force attacks to retrieve the plaintext password.
  • Use pass-the-hash techniques to authenticate on other systems without needing the password itself.
  • Relay NTLM authentication requests to escalate access privileges within an organization’s network.

---

Observed Attack Campaigns

• March 20–21, 2025: A targeted campaign affected government agencies and private organizations in Poland and Romania.
• Attackers used Dropbox-hosted archives containing malicious .library-ms files to harvest NTLM hashes.
• Collected credentials were transmitted to attack servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey.
• Security researchers confirmed weaponized exploits were circulating in underground forums, indicating widespread adoption of this technique.

---

Potential Impact of CVE-2025-24054

1. Unauthorized Credential Theft

• Any user whose NTLM hash is leaked becomes vulnerable to account compromise.
• Attackers can target administrative accounts to gain privileged access.

2. Privilege Escalation and Lateral Movement

• Attackers can pivot within a corporate network using pass-the-hash techniques, allowing them to escalate privileges without needing the actual password.

3. Network Compromise and Organizational Threats

• Affected companies face data exfiltration risks, unauthorized system modifications, and potential ransomware deployment following credential theft.

4. Multi-Stage Cyber Attacks

• Ransomware groups may leverage CVE-2025-24054 to gain initial access, followed by widespread system encryption to demand ransom payments.

---

Mitigation Strategies

1. Apply Microsoft’s Security Patch

• Update Windows to the latest security patch (March 11, 2025) to block unauthorized NTLM authentication requests.

2. Disable NTLM Authentication Over SMB

• Configure Group Policy to restrict NTLM authentication, preventing malicious servers from collecting NTLM hashes.

3. Implement Network Monitoring and Threat Detection

• Use Intrusion Detection Systems (IDS) or SIEM solutions to monitor SMB authentication traffic for anomalies.
• Track unusual outbound NTLM authentication attempts to unknown external IP addresses.

4. Enhance User Awareness and Phishing Protection

• Educate employees about malicious .library-ms files, warning them against interacting with unknown archive contents.
• Enforce email security protocols such as attachment scanning and sandbox execution.

5. Enforce Strong Authentication Mechanisms

• Implement multi-factor authentication (MFA) to protect accounts even if an NTLM hash is stolen.
• Enforce Kerberos authentication instead of NTLM for securing internal authentication workflows.

---

Final Thoughts

CVE-2025-24054 is a dangerous NTLM authentication vulnerability that allows attackers to steal NTLMv2-SSP hashes silently, enabling pass-the-hash attacks and lateral movement within corporate networks. Organizations must apply security patches immediately, disable NTLM authentication where possible, and deploy threat monitoring tools to prevent exploitation.