Analysis Summary

A critical vulnerability identified as CVE-2025-24054 in Windows systems is being actively exploited in the wild, allowing threat actors to leak NTLMv2-SSP hashes through spoofing techniques. This flaw stems from the external control of file names or paths, which triggers unauthorized SMB authentication requests when specially crafted ZIP archives are extracted or interacted with. These archives contain malicious .library-ms files that exploit the way Windows Explorer processes file metadata, causing the system to unknowingly transmit NTLM hashes to attacker-controlled SMB servers—even with minimal user interaction, such as navigating to a folder or right-clicking a file.

NTLM, a Microsoft-developed suite of authentication protocols, remains widely used despite known weaknesses. Although NTLMv2 improves upon earlier versions, attackers can still exploit how the protocol handles authentication across the network. In the case of CVE-2025-24054, the hash leakage occurs when malicious files—such as .library-ms, .lnk, .url, and .website—initiate silent SMB authentication requests during basic file operations. These leaked hashes can be used in pass-the-hash or relay attacks, potentially granting unauthorized access to systems and facilitating lateral movement or privilege escalation across networks.

Despite Microsoft releasing a patch on March 11, 2025, researchers observed exploitation by March 20–21. Sophisticated spear-phishing campaigns were reported, targeting government and private entities in Poland and Romania. Attackers distributed ZIP files via Dropbox links in phishing emails, which, when extracted, immediately triggered the exploit. The stolen NTLM hashes were funneled to malicious SMB servers hosted in countries like Russia, Turkey, Bulgaria, and the Netherlands, hinting at the involvement of state-sponsored threat groups with geopolitical motives, possibly for espionage or sabotage.

To mitigate this threat, organizations must urgently apply the latest security patches, especially in environments using SMB protocols. Defensive measures should include enabling SMB signing, restricting SMB traffic between network segments, monitoring for unusual authentication attempts, and conducting regular vulnerability scans. Additionally, user awareness training on the risks of interacting with unknown or suspicious files is vital. The exploitation of CVE-2025-24054 serves as a clear reminder of how simple user actions can lead to serious security breaches, emphasizing the need for proactive cybersecurity strategies.

Impact

• Sensitive Credentials Theft
• Unauthorize Access

Indicators of Compromise

IP

• 159.196.128.120

MD5

• 489aa539835a09bdfc865ed2fe9b7f5d
• 0f39f48c4d32340fdd65cdf9ca6eb491
• 82870de4c0fa07e0d7f7a8267d25dc33

SHA-256

• 8fae5f0ae6070c39ba099735fe433cdb90ebb186b3f716847f29d7830e91e197
• 2ebe48f08cee2ec8eaf0b06cbe6901af486046b3347b336478bb6a879eff3815
• 2712870335c5086848c3728e379902b3636af1053ccd79eca84609a75ec80910

SHA-1

• 9ca72d969d7c5494a30e996324c6c0fcb72ae1ae

• 84132ae00239e15b50c1a20126000eed29388100

• 76e93c97ffdb5adb509c966bca22e12c4508dcaa

Affected Vendors

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Implement SMB signing to ensure the authenticity of SMB communications and deploy protection mechanisms against NTLM relay attacks.
• Use network segmentation to limit SMB protocol communication only to trusted systems, reducing lateral movement opportunities.
• Continuously analyze logs and network traffic for unusual or unauthorized SMB authentication attempts that may indicate exploitation.
• Conduct training to help users recognize phishing emails, avoid interacting with suspicious ZIP archives, and safely handle unknown files.
• Conduct Regular Vulnerability Scans and Security Audits.