NTLM Vulnerability in Windows Systems Actively Exploited

🔓 Cybercriminals are exploiting a critical vulnerability in Windows systems related to NTLM (New Technology LAN Manager) authentication to gain unauthorized access. This vulnerability, identified as CVE-2025-24054, allows attackers to spoof NTLM hashes, potentially exposing sensitive information.

The vulnerability is based on a weakness in the NTLM security protocol, which can lead to the exposure of users’ authentication credentials to external sources. Initially patched by Microsoft on March 11, 2025, the issue began being actively exploited just a few days after the release.

NTLM is a suite of authentication protocols developed by Microsoft to verify user identities and secure network communications. While NTLMv2 has enhanced security, attackers are still able to use this protocol to expose hashes and move laterally within the system.

CVE-2025-24054: Vulnerability Details
The CVE-2025-24054 vulnerability arises when Windows Explorer processes ZIP archives, allowing authentication requests to be sent over the SMB (Server Message Block) protocol through malicious files like .library-ms without user interaction. These requests leak the NTLMv2-SSP hashes to the attacker’s server.

Simply opening a malicious ZIP file or even hovering the mouse over it can trigger the attack.

Active Exploitation Cases
🕵️‍♂️ Check Point Research identified several cyberattack campaigns exploiting this vulnerability on March 20-21, 2025. These attacks targeted both government and private sectors in Poland and Romania, delivered through ZIP archives sent via email.

The archives contained files with extensions such as .library-ms, .url, .website, and .lnk. Once activated, they triggered Windows systems to connect to the attacker’s server via SMB, sending NTLM hashes. The attackers used these hashes to either gain system access or move swiftly through the network.

📤 The hashes were sent to servers in various countries, including Russia, Bulgaria, the Netherlands, Australia, and Turkey. High-level intelligence groups associated with nation-states may be behind these attacks.

Microsoft’s Response and Recommendations
Although Microsoft has released security patches to address this vulnerability, exploitation attempts began rapidly. Therefore, organizations are strongly advised to take the following actions:

✅ Update systems immediately – Install the security updates released on March 11, 2025, to all devices.
✅ Segment networks – Limit SMB network traffic between segments to prevent the spread of the attack.
✅ Strengthen SMB security settings – Enable SMB signing and defenses against relay attacks.
✅ Educate users – Continuously raise awareness about not opening unknown or untrusted ZIP archives.
✅ Conduct regular audits and monitoring – Perform routine checks to detect any unusual network activity.

Conclusion:
The CVE-2025-24054 vulnerability enables sophisticated attacks that can lead to the leakage of sensitive authentication data through simple file operations. Protection against such threats requires not only patching but also vigilance, user training, and a robust security infrastructure.

Update your systems today. Protect yourself and your network!