A Home windows vulnerability that exposes NTLM hashes utilizing .library-ms information is now actively exploited by hackers in phishing campaigns focusing on authorities entities and personal corporations.
The flaw tracked as CVE-2025-24054 was fastened in Microsoft’s March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as ‘much less probably’ to be.
Nevertheless, Test Level researchers report having noticed lively exploitation exercise for CVE-2025-24054 just a few days after patches grew to become accessible, culminating between March 20 and 25, 2025.
Though one IP handle behind these assaults was beforehand linked to the Russia state-sponsored menace group APT28 (‘Fancy Bear’), it isn’t sufficient proof for assured attribution.
Exposing NTLM hashes
NTLM (New Know-how LAN Supervisor) is a Microsoft authentication protocol that makes use of challenge-response negotiation involving hashes as a substitute of transmitting plaintext passwords to authenticate customers.
Whereas NTLM avoids transmitting plaintext passwords, it’s now not thought of safe on account of vulnerabilities like replay assaults and brute-force cracking of captured hashes.
On account of this, Microsoft has begun phasing out NTLM authentication in favor of Kerberos or Negotiate.
In assaults seen by Test Level, phishing emails had been despatched to entities in Poland and Romania that included a Dropbox hyperlink to a ZIP archive, containing a .library-ms file.
Phishing electronic mail attaching the exploit file (unzipped)
Supply: Test Level
A library-ms file is a professional file kind that, when opened, exhibits a Home windows libraryor digital container, that comprises information and folders from totally different configured sources.
On this phishing assault, the library-ms file was created to comprise a path to a distant SMB server below the attacker’s management.
Malicious .library-ms file
Supply: Test Level
When extracting a ZIP file that comprises a .library-ms file, Home windows Explorer will work together with it mechanically, triggering the CVE-2025-24054 flaw and inflicting Home windows to make an SMB connection to the URL specified within the file.
When Home windows connects to the distant SMB server, it can try and authenticate through NTLM, permitting the attacker to seize the consumer’s NTLM hashes.
In a later marketing campaign, Test Level found phishing emails that contained .library-ms attachments, with out an archive. Merely downloading the .library-ms file was sufficient to set off NTLM authentication to the distant server, demonstrating that archives weren’t required to use the flaw.
“On March 25, 2025, Test Level Analysis found a marketing campaign focusing on corporations around the globe, distributing these information with out being zipped,” explains Test Level.
“In response to Microsoft, this exploit is triggered with minimal consumer interplay with a malicious file, corresponding to deciding on (single-clicking), inspecting (right-clicking), or performing any motion aside from opening or executing the file.”
The malicious archive additionally comprises three extra information, specifically ‘xd.url,’ ‘xd.web site,’ and ‘xd.hyperlink,’ which leverage older NTLM hash leak flaws and are almost certainly included for redundancy in case the ‘library-ms’ methodology fails.
Test Level says the attacker-controlled SMB servers on this marketing campaign had been utilizing the 159.196.128(.)120 and 194.127.179(.)157 IP addresses.
Capturing NTLM hashes may open the best way to authentication bypass and privilege escalation, so although CVE-2025-24054 is simply evaluated as a “medium” severity subject, its potential penalties are grave.
Given the low interplay required to use, organizations ought to deal with this as a high-risk subject. It’s suggested that each one organizations ought to set up the March 2025 updates and switch off NTLM authentication if it isn’t required.
