The exploitation of a Windows NTLM vulnerability started roughly a week after patches were released last month, Check Point warns.
Tracked as CVE-2025-24054 (CVSS score of 6.5) and resolved on March 2025 Patch Tuesday, the medium-severity flaw could allow NTLM hash disclosure, enabling attackers to perform spoofing attacks over a network.
According to Microsoft’s advisory, successful exploitation of the bug requires minimal interaction from the user. Simply selecting or right-clicking a malicious file could trigger the security defect.
One week after patches were rolled out for CVE-2025-24054, threat actors started exploiting it in attacks targeting government and private institutions in Poland and Romania, Check Points says.
“This vulnerability is triggered when a user extracts a ZIP archive containing a malicious .library-ms file. This event will trigger Windows Explorer to initiate an SMB authentication request to a remote server and, as a result, it leaks the user’s NTLM hash without any user interaction,” the cybersecurity firm notes.
After exposing the NTLM hash, an attacker could perform brute-force attacks to extract the user’s password, or could mount relay attacks.
Depending on the privileges of the compromised account, the attacker could then move laterally on the network, escalate privileges, and potentially compromise the domain.
While Microsoft does not flag CVE-2025-24054 as exploited in its advisory, between March 19 and March 25, Check Point observed roughly a dozen malicious campaigns targeting it. The extracted NTLM hashes were collected on SMB servers in Australia, Bulgaria, the Netherlands, Russia, and Turkey.
“[One] campaign appears to have occurred around March 20–21, 2025. The main targets seem to have been the Polish and Romanian governments and private institutions. The campaign targeted the victims via email phishing links, which include an archive file, downloaded from Dropbox,” Check Point explains.
One of the files inside the archive is associated with CVE-2024-43451, a Windows NTLM hash disclosure bug exploited as a zero-day by Russian threat actors, while another referenced an SMB server associated with the Russian state-sponsored APT Fancy Bear, also known as APT28, Forest Blizzard, and Sofacy.
Check Point also warns that, in at least one campaign observed on March 25, the malicious .library-ms file was distributed unzipped.
On Thursday, the US cybersecurity agency CISA added CVE-2025-24054 to its Known Exploited Vulnerabilities (KEV) list. As mandated by BOD 22-01, federal agencies should patch the flaw by May 8, but CISA urges all organizations to prioritize addressing the bugs in the KEV catalog.
Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days
Related: Microsoft Patches 125 Windows Vulns, Including Exploited CLFS Zero-Day
Related: Newly Patched Windows Zero-Day Exploited for Two Years
