Urgent Patch Required: Windows NTLM Flaw Exploited in Recent Attacks

Article Highlights
Off On

Recent developments in cybersecurity have highlighted a worrying trend with the Windows New Technology LAN Manager (NTLM) protocol. The vulnerability, tracked as CVE-2025-24054, has been actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to their Known Exploited Vulnerabilities (KEV) catalog. With a CVSS score of 6.5, this medium-severity flaw involves NTLM hash disclosure via spoofing, an issue that Microsoft had addressed in their latest Patch Tuesday updates. Despite Microsoft’s efforts to phase out NTLM in favor of Kerberos, cybercriminals continue to exploit this legacy protocol, taking advantage of unpatched systems and putting numerous organizations at risk.

Details of the Vulnerability and its Exploitation

NTLM’s legacy status has made it a target for exploitation techniques such as pass-the-hash and relay attacks. Attackers can extract NTLM hashes to further their malicious campaigns, with this particular flaw allowing unauthorized individuals to perform spoofing attacks across networks. The vulnerability can be triggered with minimal user interaction through a specially crafted .library-ms file; simple actions like single-clicking or right-clicking are sufficient. This vulnerability was discovered by researchers from NTT Security Holdings, 0x6rss, and j00sean, and was initially underestimated by Microsoft, which categorized it as “Exploitation Less Likely.”

However, recent observations from Check Point have revealed active exploitation. A notable campaign targeted entities in Poland and Romania using malspam that included a Dropbox link containing an archive. The archive exploited multiple vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes. The technique leveraged ZIP archives that, upon download and extraction, triggered SMB authentication requests to remote servers, leaking NTLM hashes without any further interaction.

Impact and Ongoing Exploitation

By late March, phishing campaigns distributed uncompressed files named “Info.doc.library-ms” aimed at collecting NTLMv2 hashes from victims. At least ten distinct campaigns have been identified, underscoring the critical need for prompt patch application to address NTLM vulnerabilities. These types of attacks can facilitate lateral movement and privilege escalation within compromised networks, making it essential for organizations to respond swiftly to mitigate the risks posed by such threats. The significance of these captured NTLM hashes lies in their potential use in pass-the-hash attacks, wherein attackers can authenticate as the original user without needing their password. Given the minimal user interaction required to exploit this flaw and the significant threat it poses, organizations are urged to apply security patches without delay. Federal Civilian Executive Branch (FCEB) agencies, in particular, have been mandated to apply the necessary patches by May 8, 2025, to safeguard against these exploits. Recommendations from cybersecurity experts and agencies emphasize the urgency of incorporating security patches immediately to safeguard network environments. The active exploitation of NTLM weaknesses by threat actors highlights the importance of defending against sophisticated attacks, with the remedy often lying in timely and consistent patch application.

The Critical Need for Defensive Measures

The evolving nature of cybersecurity threats underscores the necessity for organizations to remain vigilant and proactive. As attackers continue to exploit legacy protocols like NTLM, timely defensive measures become paramount in safeguarding against sophisticated attacks. While Microsoft has deprecated NTLM in favor of more secure alternatives, the continued use and exploitation of this protocol in various attacks reflect the challenges of transitioning to newer systems and the persistent vulnerabilities of legacy technologies. Organizations must prioritize the application of security patches and the deployment of comprehensive cybersecurity strategies. This involves not only addressing specific vulnerabilities like CVE-2025-24054 but also implementing broader measures to enhance overall security posture. Education and awareness campaigns can play a crucial role in helping employees recognize potential threats and avoid interactions that could trigger such exploits.

In light of recent findings, the cybersecurity community is encouraged to explore advanced detection and mitigation techniques that can identify and neutralize threats more effectively. Collaboration between industry experts, researchers, and governmental agencies can drive the development of innovative solutions to combat emerging cybersecurity challenges. By fostering a culture of continuous improvement and vigilance, organizations can protect their digital assets and maintain the integrity of their operations.

Ensuring Future Security Preparedness

Recent strides in cybersecurity have spotlighted a troubling issue associated with the Windows New Technology LAN Manager (NTLM) protocol. The vulnerability, identified as CVE-2025-24054, has seen active exploitation, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to place it in their Known Exploited Vulnerabilities (KEV) catalog. This medium-severity flaw, manifesting as an NTLM hash disclosure through spoofing, carries a CVSS score of 6.5. Microsoft has responded to this threat by addressing it in their latest round of Patch Tuesday updates. Even though Microsoft is pushing to replace NTLM with the more secure Kerberos protocol, cybercriminals continue to leverage this outdated technology, exploiting unpatched systems and putting a significant number of organizations at risk. This ongoing exploitation underscores the critical need for organizations to stay current with patches and updates to protect their networks from such vulnerabilities and safeguard against potential cyberattacks.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.