Your credentials could be at risk without you having clicked on anything suspicious. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently included a new threat in its Catalog of Actively Exploited Vulnerabilities (KEV): CVE-2025-24054. Classified as a spoofing vulnerability with a medium severity score (CVSSv3: 6.5), it affects the NTLM (New Technology LAN Manager) protocol used in Microsoft Windows.
This flaw, which allows the disclosure of authentication hashes, was fixed by Microsoft in its March security update, but it has now been confirmed that it is being actively exploited by attackers in real-world scenarios, according to reports from Check Point Research. What is most worrying is that the attack does not require direct user intervention; it is enough for the system to automatically attempt to access a malicious remote resource for data to start leaking.
How does vulnerability CVE-2025-24054 work and why is NTLM still a risk?
Although Microsoft officially replaced the NTLM protocol with Kerberos in 2024, NTLM is still a problem. In fact, it has been for years one of the most attacked points by techniques such as pass-the-hash or so-called relay attacks. The new vulnerability, known as CVE-2025-24054, is due to a flaw in how Windows handles file names or external paths (technically known as CWE-73).
This flaw allows an unauthenticated attacker to impersonate another user at the network level, taking advantage of .library-ms files. What is most worrying, according to Microsoft, is that the attack does not require you to open or execute the malicious file for the attack to work; minimal interaction is sufficient.
CVE-2025-24054, Exploit PCAP. (Source: Research Checkpoint)
In recent weeks, malicious email campaigns have been detected that are exploiting this vulnerability in a rather clever way. Attackers send emails with links pointing to files hosted on legitimate platforms such as Dropbox. Downloading these files (usually compressed in .zip) and unzipping them automatically triggers a network request from Windows File Explorer to a server controlled by the attackers. And the worrying thing is that, in the process, the user's NTLMv2-SSP hashes are leaked, without the need for the user to open or run anything.
These attacks are not theoretical: real cases have already been seen targeting public and private organizations in countries such as Poland and Romania, especially between March 20 and 21, 2025. Later on, the attackers even refined their technique by directly using uncompressed .library-ms files, which helps them avoid detection systems that analyze the content of compressed files.
This vulnerability (CVE-2025-24054) did not come out of nowhere: it is an evolution of an earlier flaw, CVE-2024-43451, which was already used in attacks targeting countries such as Ukraine and Colombia. In those campaigns, groups known for their espionage operations exploited the stolen hashes to move laterally within compromised networks and escalate privileges.
Although Microsoft initially classified the risk of exploitation as “unlikely”, the truth is that time has proven otherwise. The attack is so quiet and easy to activate that it represents a critical risk, especially for organizations that still rely on legacy technologies such as NTLM.
In fact, the U.S. Cybersecurity Agency (CISA) has already required federal agencies to patch it. In addition to the patch, it is recommended to take additional measures such as:
-
Disable NTLM using group policies and prioritize the use of Kerberos.
-
Block unauthorized outbound SMB traffic from the firewall.
-
Monitor any SMB traffic to unknown or untrusted domains.
-
Train users not to open .library-ms or .zip files from dubious sources.
All of this makes it clear that attackers continue to take advantage of obsolete technologies. As long as NTLM remains enabled and exposed, it will continue to be an ideal gateway for compromising networks. The best defense in this case is not just to apply a patch, but to close that door for good by disabling what should no longer be in use.