CVE-2025-24054

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the March 2025 security update

Description This issue is a Windows New Technology LAN Manager (NTLM) hash disclosure spoofing vulnerability (CVE-2025-24054). Exploitation occurs through maliciously crafted .library-ms files, allowing attackers to steal NTLM credentials with minimal user interaction, sometimes only requiring a file download. The vulnerability has been actively exploited in attacks targeting government and private institutions in Poland, Romania, and globally. Threat actors, potentially including the APT28 group, are leveraging this flaw. The vulnerability allows attackers to perform spoofing over a network by exploiting external control of file names or paths. Approximately 10 attack campaigns have been observed as of late March 2025, with malicious SMB servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey. The vulnerability was initially rated as low risk by Microsoft, but is now considered critical due to its ease of exploitation and potential impact.

Recommendations Apply the March 2025 security update immediately. Disable NTLM authentication if it is not required. Monitor network traffic for suspicious SMB authentication requests. Audit file shares for malicious .library-ms files.