Urgent Patch Required: Windows NTLM Flaw Exploited in Recent Attacks

Article Highlights
Off On

Recent developments in cybersecurity have highlighted a worrying trend with the Windows New Technology LAN Manager (NTLM) protocol. The vulnerability, tracked as CVE-2025-24054, has been actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to their Known Exploited Vulnerabilities (KEV) catalog. With a CVSS score of 6.5, this medium-severity flaw involves NTLM hash disclosure via spoofing, an issue that Microsoft had addressed in their latest Patch Tuesday updates. Despite Microsoft’s efforts to phase out NTLM in favor of Kerberos, cybercriminals continue to exploit this legacy protocol, taking advantage of unpatched systems and putting numerous organizations at risk.

Details of the Vulnerability and its Exploitation

NTLM’s legacy status has made it a target for exploitation techniques such as pass-the-hash and relay attacks. Attackers can extract NTLM hashes to further their malicious campaigns, with this particular flaw allowing unauthorized individuals to perform spoofing attacks across networks. The vulnerability can be triggered with minimal user interaction through a specially crafted .library-ms file; simple actions like single-clicking or right-clicking are sufficient. This vulnerability was discovered by researchers from NTT Security Holdings, 0x6rss, and j00sean, and was initially underestimated by Microsoft, which categorized it as “Exploitation Less Likely.”

However, recent observations from Check Point have revealed active exploitation. A notable campaign targeted entities in Poland and Romania using malspam that included a Dropbox link containing an archive. The archive exploited multiple vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes. The technique leveraged ZIP archives that, upon download and extraction, triggered SMB authentication requests to remote servers, leaking NTLM hashes without any further interaction.

Impact and Ongoing Exploitation

By late March, phishing campaigns distributed uncompressed files named “Info.doc.library-ms” aimed at collecting NTLMv2 hashes from victims. At least ten distinct campaigns have been identified, underscoring the critical need for prompt patch application to address NTLM vulnerabilities. These types of attacks can facilitate lateral movement and privilege escalation within compromised networks, making it essential for organizations to respond swiftly to mitigate the risks posed by such threats. The significance of these captured NTLM hashes lies in their potential use in pass-the-hash attacks, wherein attackers can authenticate as the original user without needing their password. Given the minimal user interaction required to exploit this flaw and the significant threat it poses, organizations are urged to apply security patches without delay. Federal Civilian Executive Branch (FCEB) agencies, in particular, have been mandated to apply the necessary patches by May 8, 2025, to safeguard against these exploits. Recommendations from cybersecurity experts and agencies emphasize the urgency of incorporating security patches immediately to safeguard network environments. The active exploitation of NTLM weaknesses by threat actors highlights the importance of defending against sophisticated attacks, with the remedy often lying in timely and consistent patch application.

The Critical Need for Defensive Measures

The evolving nature of cybersecurity threats underscores the necessity for organizations to remain vigilant and proactive. As attackers continue to exploit legacy protocols like NTLM, timely defensive measures become paramount in safeguarding against sophisticated attacks. While Microsoft has deprecated NTLM in favor of more secure alternatives, the continued use and exploitation of this protocol in various attacks reflect the challenges of transitioning to newer systems and the persistent vulnerabilities of legacy technologies. Organizations must prioritize the application of security patches and the deployment of comprehensive cybersecurity strategies. This involves not only addressing specific vulnerabilities like CVE-2025-24054 but also implementing broader measures to enhance overall security posture. Education and awareness campaigns can play a crucial role in helping employees recognize potential threats and avoid interactions that could trigger such exploits.

In light of recent findings, the cybersecurity community is encouraged to explore advanced detection and mitigation techniques that can identify and neutralize threats more effectively. Collaboration between industry experts, researchers, and governmental agencies can drive the development of innovative solutions to combat emerging cybersecurity challenges. By fostering a culture of continuous improvement and vigilance, organizations can protect their digital assets and maintain the integrity of their operations.

Ensuring Future Security Preparedness

Recent strides in cybersecurity have spotlighted a troubling issue associated with the Windows New Technology LAN Manager (NTLM) protocol. The vulnerability, identified as CVE-2025-24054, has seen active exploitation, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to place it in their Known Exploited Vulnerabilities (KEV) catalog. This medium-severity flaw, manifesting as an NTLM hash disclosure through spoofing, carries a CVSS score of 6.5. Microsoft has responded to this threat by addressing it in their latest round of Patch Tuesday updates. Even though Microsoft is pushing to replace NTLM with the more secure Kerberos protocol, cybercriminals continue to leverage this outdated technology, exploiting unpatched systems and putting a significant number of organizations at risk. This ongoing exploitation underscores the critical need for organizations to stay current with patches and updates to protect their networks from such vulnerabilities and safeguard against potential cyberattacks.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned