The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity flaw in Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploits. The vulnerability, identified as CVE-2025-24054, received a CVSS score of 6.5 and is associated with a hash disclosure spoofing bug affecting the Windows New Technology LAN Manager (NTLM) protocol, which was patched by Microsoft last month as part of its Patch Tuesday updates.
NTLM, a legacy authentication protocol, has been deprecated by Microsoft in favor of Kerberos. Despite this, threat actors have exploited NTLM through various attack techniques like pass-the-hash and relay attacks to extract NTLM hashes. According to CISA, the vulnerability allows unauthorized attackers to spoof over a network due to an external control of file name or path issue.
Microsoft stated that the flaw could be triggered with minimal user interaction, such as single-clicks or inspecting a specially crafted .library-ms file. The vulnerability has gained attention due to its current exploitation, including a campaign that targeted various government and private institutions in Poland and Romania.
Recent analyses from cybersecurity firm Check Point revealed that, as of March 19, attackers have been able to leak NTLM hashes or user passwords through this vulnerability. They noted the use of malspam to distribute a link that exploits CVE-2025-24054 alongside other vulnerabilities to harvest NTLMv2-SSP hashes. With the risk of lateral movement and privilege escalation in compromised networks, immediate patching is essential to mitigate potential attacks.
A second phishing campaign was reported recently, distributing an uncompressed “Info.doc.library-ms” file. Check Point documented at least 10 campaigns leveraging malicious .library-ms files to extract NTLMv2 hashes. The ease of exploitation underscores the urgent need for organizations to address NTLM vulnerabilities effectively.
Federal Civilian Executive Branch agencies are required to implement necessary fixes by May 8, 2025, to fortify their networks against this vulnerability amid ongoing threats. The rapid exploitation of this flaw highlights vital cybersecurity protocols and emphasizes the need for user awareness and patch management in organizational environments.