Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-24054)
CVE number = CVE-2025-24054
This is a spoofing vulnerability involving the Windows New Technology LAN Manager (NTLM) hash, which Microsoft addressed in last month’s Patch Tuesday updates.
According to CheckPoint around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.
On March 11, 2025, Microsoft released a security patch addressing a vulnerability in Windows Explorer that exposed NTLMv2-SSP hashes. The flaw, tracked as CVE-2025-24054, was present in all recent versions of Windows and could be exploited when a user simply extracts a ZIP archive containing a malicious .library-ms file. When this file is extracted, Windows Explorer automatically initiates an SMB authentication request to a remote server, unintentionally leaking the user’s NTLM hash—without requiring any user interaction.
What is NTLM ?
NTLM (New Technology LAN Manager) is a suite of security protocols used by Microsoft to authenticate users and computers in a network, especially within older Windows environments.
Here’s a breakdown:
- What it does: NTLM verifies a user’s identity when they try to access shared network resources, like a file server or a printer.
- How it works: Instead of sending a password over the network, NTLM uses a challenge-response mechanism. The server sends a challenge, the client encrypts it using the user’s password hash, and the server checks if it matches.
- Why it’s outdated: NTLM is considered insecure by modern standards. It’s vulnerable to various attacks like relay attacks, hash cracking, and pass-the-hash. Microsoft has been encouraging organizations to move to Kerberos, which is more secure and efficient.
In short, NTLM is an older authentication method that still exists for compatibility reasons but isn’t recommended for secure environments anymore.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.