A medium-severity vulnerability (CVE-2025-24054) has been identified in Microsoft Windows, allowing attackers to capture NTLMv2 hashes through minimal user interaction. Exploitation involves specially crafted .library-ms files that, when interacted with (e.g., single-clicked or right-clicked), trigger an SMB authentication request to a malicious server, leaking the user’s NTLM hash. This vulnerability has been actively exploited in phishing campaigns targeting government and private institutions.

Impacted Versions

  • Windows 10 (versions 1507 to 22H2)
  • Windows 11 (versions 22H2 to 24H2)
  • Windows Server 2008 R2 SP1
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2025

Vulnerabilities

  • CVE Identifier: CVE-2025-24054
    • Severity: Medium (CVSS v3.1 Score: 6.5)
    • Description: The vulnerability arises from external control of file names or paths in Windows NTLM, allowing an unauthorized attacker to perform spoofing over a network.
    • Impact: Exploitation can lead to credential compromise, lateral movement within networks, and potential unauthorized access to sensitive data.

Mitigations

  • Update: Apply the security updates released by Microsoft on 11 March 2025.
  • Disable NTLM Authentication: Where possible, disable NTLM to reduce the risk of hash leaks.
  • Implement Network Protections: Block outbound SMB connections to untrusted networks and enable SMB signing and NTLM relay protections.
  • User Awareness: Educate users about the risks of interacting with unsolicited files, especially those received via email.

Resources and Further Reading