Recent developments in cybersecurity have highlighted a worrying trend with the Windows New Technology LAN Manager (NTLM) protocol. The vulnerability, tracked as CVE-2025-24054, has been actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to their Known Exploited Vulnerabilities (KEV) catalog. With a CVSS score of 6.5, this medium-severity flaw involves NTLM hash disclosure via spoofing, an issue that Microsoft had addressed in their latest Patch Tuesday updates. Despite Microsoft’s efforts to phase out NTLM in favor of Kerberos, cybercriminals continue to exploit this legacy protocol, taking advantage of unpatched systems and putting numerous organizations at risk.
Details of the Vulnerability and its Exploitation
NTLM’s legacy status has made it a target for exploitation techniques such as pass-the-hash and relay attacks. Attackers can extract NTLM hashes to further their malicious campaigns, with this particular flaw allowing unauthorized individuals to perform spoofing attacks across networks. The vulnerability can be triggered with minimal user interaction through a specially crafted .library-ms file; simple actions like single-clicking or right-clicking are sufficient. This vulnerability was discovered by researchers from NTT Security Holdings, 0x6rss, and j00sean, and was initially underestimated by Microsoft, which categorized it as “Exploitation Less Likely.”
However, recent observations from Check Point have revealed active exploitation. A notable campaign targeted entities in Poland and Romania using malspam that included a Dropbox link containing an archive. The archive exploited multiple vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes. The technique leveraged ZIP archives that, upon download and extraction, triggered SMB authentication requests to remote servers, leaking NTLM hashes without any further interaction.
Impact and Ongoing Exploitation
By late March, phishing campaigns distributed uncompressed files named “Info.doc.library-ms” aimed at collecting NTLMv2 hashes from victims. At least ten distinct campaigns have been identified, underscoring the critical need for prompt patch application to address NTLM vulnerabilities. These types of attacks can facilitate lateral movement and privilege escalation within compromised networks, making it essential for organizations to respond swiftly to mitigate the risks posed by such threats. The significance of these captured NTLM hashes lies in their potential use in pass-the-hash attacks, wherein attackers can authenticate as the original user without needing their password. Given the minimal user interaction required to exploit this flaw and the significant threat it poses, organizations are urged to apply security patches without delay. Federal Civilian Executive Branch (FCEB) agencies, in particular, have been mandated to apply the necessary patches by May 8, 2025, to safeguard against these exploits. Recommendations from cybersecurity experts and agencies emphasize the urgency of incorporating security patches immediately to safeguard network environments. The active exploitation of NTLM weaknesses by threat actors highlights the importance of defending against sophisticated attacks, with the remedy often lying in timely and consistent patch application.
The Critical Need for Defensive Measures
The evolving nature of cybersecurity threats underscores the necessity for organizations to remain vigilant and proactive. As attackers continue to exploit legacy protocols like NTLM, timely defensive measures become paramount in safeguarding against sophisticated attacks. While Microsoft has deprecated NTLM in favor of more secure alternatives, the continued use and exploitation of this protocol in various attacks reflect the challenges of transitioning to newer systems and the persistent vulnerabilities of legacy technologies. Organizations must prioritize the application of security patches and the deployment of comprehensive cybersecurity strategies. This involves not only addressing specific vulnerabilities like CVE-2025-24054 but also implementing broader measures to enhance overall security posture. Education and awareness campaigns can play a crucial role in helping employees recognize potential threats and avoid interactions that could trigger such exploits.
In light of recent findings, the cybersecurity community is encouraged to explore advanced detection and mitigation techniques that can identify and neutralize threats more effectively. Collaboration between industry experts, researchers, and governmental agencies can drive the development of innovative solutions to combat emerging cybersecurity challenges. By fostering a culture of continuous improvement and vigilance, organizations can protect their digital assets and maintain the integrity of their operations.
Ensuring Future Security Preparedness
Recent strides in cybersecurity have spotlighted a troubling issue associated with the Windows New Technology LAN Manager (NTLM) protocol. The vulnerability, identified as CVE-2025-24054, has seen active exploitation, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to place it in their Known Exploited Vulnerabilities (KEV) catalog. This medium-severity flaw, manifesting as an NTLM hash disclosure through spoofing, carries a CVSS score of 6.5. Microsoft has responded to this threat by addressing it in their latest round of Patch Tuesday updates. Even though Microsoft is pushing to replace NTLM with the more secure Kerberos protocol, cybercriminals continue to leverage this outdated technology, exploiting unpatched systems and putting a significant number of organizations at risk. This ongoing exploitation underscores the critical need for organizations to stay current with patches and updates to protect their networks from such vulnerabilities and safeguard against potential cyberattacks.