Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure
Analysis Summary
# Vulnerability: Windows NTLM Hash Disclosure via .library-ms File
## CVE Details
- CVE ID: CVE-2025-24054
- CVSS Score: 6.5 (Medium)
- CWE: External Control of File Name or Path
## Affected Systems
- Products: Microsoft Windows
- Versions: Unspecified (Covered by the March Patch Tuesday updates)
- Configurations: Systems processing specially crafted `.library-ms` files.
## Vulnerability Description
The vulnerability is an External Control of File Name or Path weakness in the Windows New Technology LAN Manager (NTLM) protocol implementation. An unauthorized attacker can exploit this flaw over a network by causing minimal user interaction—such as single-clicking, right-clicking (inspecting), or simply downloading and extracting a malicious ZIP archive containing the file—with a specially crafted `.library-ms` file. This action triggers an SMB authentication request to a remote server, leading to the disclosure of the user's NTLM hash (NTLMv2-SSP hashes).
## Exploitation
- Status: Exploited in the wild (Active exploitation reported since March 19, 2025)
- Complexity: Low (Minimal user interaction required; often just downloading/extracting an archive)
- Attack Vector: Network
## Impact
- Confidentiality: High (Leakage of NTLM hashes/user passwords)
- Integrity: Medium (Potential for credential reuse in relay/pass-the-hash attacks)
- Availability: Low (No direct impact, but a precursor to further compromise)
## Remediation
### Patches
- Patched by Microsoft as part of the March 2025 Patch Tuesday updates. (Specific version numbers not provided in the text.)
### Workarounds
- Disable or restrict NTLM usage where possible.
- Implement enhanced network monitoring for anomalous SMB authentication requests originating from user workstations without explicit user consent.
## Detection
- **Indicators of Compromise (IOCs):** Network activity showing SMB authentication requests initiated by client machines to unexpected or untrusted remote servers upon file interaction (especially involving compressed files or specific file types like `.library-ms`).
- **Detection Methods and Tools:** Monitoring for NTLM hash leakage via network traffic analysis. Security teams should focus on systems that recently processed unknown files distributed via means like malspam or phishing campaigns.
## References
- Microsoft Update Guide: msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
- CISA Alert: cisa.gov/news-events/alerts/2025/04/17/cisa-adds-three-known-exploited-vulnerabilities-catalog (defanged link)
- Check Point Research: research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/ (defanged link)