Microsoft Patched It, But Hackers Didn’t Care — Inside CVE-2025–24054

Another month, another NTLM exploit. If you thought CVE-2024–43451 was the last of its kind, think again — because its meaner, sneakier cousin is here, and it’s already busy.

What’s Going On?

NTLM, Microsoft’s authentication protocol, has had a long history of weaknesses, from pass-the-hash attacks to relay exploits. NTLMv2 improved security, but even today, captured hashes can be cracked offline or abused in relay attacks, letting cybercriminals impersonate legitimate users.

Microsoft expedited the patch for CVE-2025–24054 on March 11, 2025, but by March 19, attackers were already deploying it. Less than two weeks later, multiple campaigns — some targeting government institutions in Poland and Romania — were leveraging .library-ms files in phishing emails to collect NTLM hashes.

The mechanics are simple

• A user downloads a ZIP archive containing a malicious .library-ms file.
• Windows Explorer initiates an SMB authentication request, leaking the user’s NTLMv2-SSP hash to a remote attacker-controlled SMB server.
• The attacker captures the hash, setting the stage for relay attacks or brute-force attempts.

Here’s what’s interesting...you don’t even have to open the file. A simple right-click, drag-and-drop, or folder navigation can trigger the exploit.

Who’s Behind It?

While attribution remains speculative, security researchers have linked this attack infrastructure to servers in Russia, Bulgaria, the Netherlands, Australia, and Turkey. Some IP addresses have been associated with APT28 (Fancy Bear), a Russian state-sponsored threat actor — but direct attribution is unclear.

Phishing emails delivering the exploit from various institutions worldwide is raising concerns about how attackers are compromising legitimate accounts to spread the malware.

The Bigger Picture

This isn’t an isolated case — it’s part of a growing trend of low-interaction exploits targeting NTLM authentication. We saw a similar attack in November 2024 with CVE-2024–43451, which targeted Ukraine and was linked to Russian-affiliated actors. Microsoft is patching NTLM vulnerabilities at a rapid pace, but clearly, attackers are just as fast at adapting.

For organizations relying on NTLM, this is a wake-up call. Mitigation strategies must go beyond simply applying patches. Here’s how to protect your network:

• Disable NTLM if possible and migrate to Kerberos or another secure authentication method.
• Enforce SMB signing to prevent relay attacks.
• Monitor network traffic for suspicious outbound SMB authentication requests.
• Educate employees about phishing risks, especially malicious ZIP archives.
• Deploy threat emulation tools to proactively detect and block such attacks.

Final Thoughts

CVE-2025–24054 is yet another reminder that attackers don’t wait for permission — they seize vulnerabilities the moment they become viable. If you’re waiting for a perfect security strategy before making changes, you’re already behind. Patch, monitor, and mitigate — because the next NTLM exploit is only a matter of time.

Citations

Checkpoint. “CVE-2025–24054, NTLM Exploit in the Wild”. Checkpoint Research, April 16, 2025, Link