CVE-2025-24054

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions (affected versions not specified)

Description This issue is a Windows New Technology LAN Manager (NTLM) hash disclosure spoofing vulnerability (CVE-2025-24054). The vulnerability allows attackers to perform spoofing over a network by exploiting external control of file names or paths. Exploitation can occur with minimal user interaction, such as previewing a malicious file, leading to the theft of NTLM credentials. The vulnerability has been actively exploited in attacks targeting government and private institutions in Poland, Romania, and globally. Threat actors, potentially including the APT28 group, are leveraging this vulnerability through phishing campaigns distributing malicious .library-ms files. The vulnerability was initially patched on March 11, 2025, but exploitation began shortly after, around March 19, 2025. Approximately ten attack campaigns have been observed as of late March 2025, with malicious SMB servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey. The vulnerability does not require file execution, and can be triggered by simply downloading a file.

Recommendations Apply the security patch released on March 11, 2025. Disable NTLM authentication if it is not required. Monitor network traffic for suspicious SMB authentication requests. Audit file shares for unauthorized access.