Full Report
An NTLM hash disclosure spoofing vulnerability that leaks hashes with minimal user interaction has been observed being exploited in the wild
Analysis Summary
# Vulnerability: Windows NTLM Hash Leakage via Crafted .library-ms File
## CVE Details
- CVE ID: CVE-2025-24054
- CVSS Score: N/A (Severity not specified in the text, but exploitation suggests High potential)
- CWE: N/A (Implied Authentication Bypass/Information Disclosure/Improper Input Validation)
## Affected Systems
- Products: Windows systems
- Versions: Unspecified, but post-March 11, 2025 patch cycle.
- Configurations: Systems where users interact with crafted `.library-ms` files through navigation or interaction (e.g., right-click, drag/drop).
## Vulnerability Description
A critical vulnerability in Windows allows remote attackers to leak NTLM authentication hashes (NTLMv2-SSP) with minimal user interaction. The exploit is triggered when a user interacts with a specially crafted `.library-ms` file. Merely navigating to the folder containing this file initiates an SMB authentication request, causing the system to send the user's NTLM hash to an attacker-controlled server. This appears to be a variant of a previously patched vulnerability (CVE-2024-43451).
## Exploitation
- Status: Exploited in the wild (Observed targeting Poland and Romania)
- Complexity: Low (Minimal user interaction required beyond delivery via phishing)
- Attack Vector: Network (Delivery via Dropbox links in phishing emails)
## Impact
- Confidentiality: High (Leakage of NTLM hashes, leading to potential credential theft and lateral movement)
- Integrity: N/A (Primary impact is disclosure)
- Availability: N/A
## Remediation
### Patches
- Microsoft released a patch on March 11, 2025. **Users must apply the associated update for CVE-2025-24054.**
### Workarounds
- Users should immediately block or restrict access to Dropbox links carrying potentially malicious archives/files.
- Educate users to avoid downloading or browsing folders containing unknown `.library-ms` files delivered via external sources.
## Detection
- Indicators of Compromise: Outbound SMB connection attempts to unusual or external IP addresses initiated by client machines immediately after user navigation actions.
- Detection methods and tools: Monitor network traffic for unexpected NTLM authentication requests originating from user workstations to non-domain controllers or unauthorized external hosts. Security teams should audit systems for rapid deployment of the March 11, 2025 Windows security updates.
## References
- Vendor Advisories: Microsoft Advisory for CVE-2025-24054 (Released March 11, 2025)
- Relevant links:
- infosecurity-magazine com/news/ntlm-hash-exploit-targets-poland-and-romania-days-after-patch/
- (Reference to CVE-2024-43451 for context on prior related issues)