Microsoft Windows NTLM Hash Disclosure Vulnerability

Summary

A medium-severity vulnerability (CVE-2025-24054) has been identified in Microsoft Windows, allowing attackers to capture NTLMv2 hashes through minimal user interaction. Exploitation involves specially crafted .library-ms files that, when interacted with (e.g., single-clicked or right-clicked), trigger an SMB authentication request to a malicious server, leaking the user’s NTLM hash. This vulnerability has been actively exploited in phishing campaigns targeting government and private institutions.

Impacted Versions

• Windows 10 (versions 1507 to 22H2)

• Windows 11 (versions 22H2 to 24H2)

• Windows Server 2008 R2 SP1

• Windows Server 2012 and 2012 R2

• Windows Server 2016

• Windows Server 2019

• Windows Server 2022

• Windows Server 2025

Vulnerabilities

CVE Identifier: CVE-2025-24054

Severity: Medium (CVSS v3.1 Score: 6.5)

Description: The vulnerability arises from external control of file names or paths in Windows NTLM, allowing an unauthorized attacker to perform spoofing over a network.

Impact: Exploitation can lead to credential compromise, lateral movement within networks, and potential unauthorized access to sensitive data.

Mitigations

1. Update: Apply the security updates released by Microsoft on 11 March 2025.

2. Disable NTLM Authentication: Where possible, disable NTLM to reduce the risk of hash leaks.

3. Implement Network Protections: Block outbound SMB connections to untrusted networks and enable SMB signing and NTLM relay protections.

4. User Awareness: Educate users about the risks of interacting with unsolicited files, especially those received via email.

Resources and Further Reading

• Microsoft Security Update Guide

• The Hacker News

• BleepingComputer Report