news 2025.05.12

Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability

Share:

In March 2025, cybersecurity researchers identified a critical vulnerability, CVE-2025-24054, affecting various Microsoft Windows systems. This flaw, related to NTLM (New Technology LAN Manager) hash disclosure via spoofing, has raised serious security concerns. The vulnerability is exploited through maliciously crafted .library-ms files, enabling attackers to leak NTLMv2-SSP hashes, potentially compromising user credentials and system integrity.

 

Attack Tactics and Techniques

Spear Phishing
Attackers distribute crafted .library-ms files through phishing emails or malicious links. Simply right-clicking or navigating to these files triggers the exploit.
Hash Capture
Interacting with these files—even through single-clicking, right-clicking, or merely navigating to a folder containing them—initiates an SMB (Server Message Block) authentication request to a malicious server controlled by the attacker.
Relay Attacks
Once obtained, the captured hashes facilitate NTLM relay attacks or Pass-the-Hash attacks, allowing lateral movement across networks without requiring password cracking.
Targeted Campaigns
Recent threat campaigns have specifically targeted government and private institutions in Europe, leveraging this vulnerability alongside other exploits.

 

Mitigation Strategies

Regular Updates & Patch Management
Ensure systems are always updated with the latest security patches to mitigate vulnerabilities.
System Hardening with Modern Authentication
Transition to modern authentication methods to reduce dependency on NTLM-based authentication.
Network Security Enhancements & Access Control
Implement strict SMB traffic filtering and zero-trust architecture to limit unauthorized access.
Continuous Monitoring & Threat Detection
Deploy advanced intrusion detection systems (IDS) and endpoint monitoring to identify suspicious activities early.
User Awareness & Vigilance
Conduct regular security training to educate users on identifying phishing attempts and malicious file interactions.