Summary:
CVE-2025-24054 is a recently patched Windows vulnerability that enables NTLM hash disclosure and has been actively exploited in targeted phishing campaigns. The flaw allows attackers to capture the NTLMv2-SSP response sent by a victim's machine to a malicious SMB server, without requiring the victim to open the malicious file—only minimal interaction, such as selecting or inspecting the file, is enough to trigger the exploit. Once obtained, these hashes can be brute-forced offline or reused in NTLM relay attacks, where the attacker impersonates the victim on another service to gain unauthorized access. Relay attacks are especially dangerous when the compromised credentials belong to privileged users, as they can facilitate privilege escalation and lateral movement across the network.

Initially reported to Microsoft by three researchers, the flaw was first tracked as CVE-2025-24071 before being reassigned to CVE-2025-24054. It bears close resemblance to CVE-2024-43451, a 2024 zero-day previously used to target Ukrainian entities. Microsoft released patches for both vulnerabilities on March 11, 2025, classifying them as spoofing vulnerabilities. While not remote code execution flaws, their ability to compromise authentication processes makes them high-priority for patching, particularly in enterprise environments that still rely on NTLM for authentication—despite Microsoft deprecating the protocol in 2024 in favor of Kerberos.


Security Officer Comments:
Attack activity began almost immediately after a proof-of-concept (PoC) and technical write-up were published on March 16 and 18. By March 19, Check Point observed exploitation in the wild, with phishing campaigns ramping up across March 20–21 targeting government and private entities in Poland and Romania. The attacks used phishing emails containing Dropbox links to a file named xd.zip, which included four embedded files crafted to leak NTLMv2-SSP hashes. One of these exploited CVE-2025-24054, while another triggered CVE-2024-43451. All files connected to a known malicious SMB server at IP address 159.196.128[.]120, previously associated with the Russia-linked APT28 (aka Fancy Bear or Forest Blizzard).

By March 25, Check Point identified at least ten additional phishing campaigns globally that followed the same pattern. The emails were engineered to appear legitimate and lure recipients into downloading and interacting with the ZIP archive. Once the archive was extracted and even lightly interacted with, the victims' NTLM hashes were transmitted to the attacker-controlled SMB infrastructure.


Suggested Corrections:
Microsoft has provided patches for all supported versions of Windows and Windows Server. However, organizations running outdated systems such as Windows 7, Windows 10 v21H2, and Server 2008 R2 or 2012 R2 must consider alternative mitigation such as micropatching through third-party services like 0patch. Organizations are urged to prioritize these updates, restrict outbound SMB traffic, and further reduce NTLM usage by accelerating the transition to Kerberos-based authentication wherever possible.

The discovery and subsequent exploitation of CVE-2025-24054, a vulnerability involving NTLM Hash Disclosure Spoofing, underscores the growing sophistication of cyberattacks and the urgency for prompt patching and vigilance. Despite Microsoft releasing a security update on March 11, 2025 to address the issue, the vulnerability was actively exploited less than two weeks later in campaigns targeting government and private institutions in Poland and Romania. With the ongoing evolution of these attack vectors, staying ahead of the threat requires a proactive approach to both patch management and network security, as attackers continually adapt to find new ways to exploit weaknesses.

Link(s):
https://www.helpnetsecurity.com/202...-in-multiple-attack-campaigns-cve-2025-24054/

https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/