[German]On March 11, 2025, Microsoft also publicly documented and patched the vulnerability CVE-2025-24054 contained in Windows. The vulnerability enables NTLM spoofing, but was classified by Microsoft as "difficult to exploit". Last week, Checkpoint pointed out that cybercriminals are attacking systems via CVE-2025-24054.
Advertising
Windows vulnerability CVE-2025-24054
Microsoft documented the vulnerability CVE-2025-24054on March 11, 2025 and closed it with security updates. This is an NTLM Hash Disclosure Spoofing vulnerability that is classified as important with a CVEv3 score of 6.5.
The vulnerability is based on the fact that external control of file names or paths in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
Minimal interaction by a user with a malicious file (e.g., selecting by clicking or right-clicking or performing an action other than opening or executing the file, dragging and dropping, or simply navigating to the folder containing the malicious file) can trigger this vulnerability. Microsoft still classifies the vulnerability as "Exploitation Less Likely" and states that no exploitation is known.
Microsoft has released security updates to close the vulnerability for all Windows versions still in support (Windows Server 2008 R2 to Windows Server 2025, Windows 10, Windows 11) (see left at the end of the article). Rapid7 lists the relevant updates in this article.
NTLM (New Technology LAN Manager) is a set of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM works with a direct client-server exchange, the so-called NTLM challenge/response mechanism, in which the server asks the client to verify its identity without sending the user's actual password over the network.
Checkpoint and CISA warn of CVE-2025-24054
The US Cybersecurity Agency CISA has added the vulnerability CVE-2025-24054 to its catalog of exploited vulnerabilities as of April 17, 2025. I already came across the following tweet on April 16, 2025, warning about the vulnerability CVE-2025-24054 because there is an NTLM exploit that is being used.
Advertising
Security researchers from Check Point Research point out in the article CVE-2025-24054, NTLM Exploit in the Wild from April 16, 2025 that this vulnerability has been actively exploited since March 19, 2025. CVE-2025-24054 is a vulnerability related to the disclosure of NTLM hashes via spoofing, which can be exploited with a maliciously crafted .library-ms file. Attackers could potentially spy on NTLM hashes or user passwords via an exploit and compromise systems, it is said.
Although Microsoft released a patch on March 11, 2025, according to Check Point Research, attackers already had over a week to develop and deploy exploits before the vulnerability was actively exploited. On March 20 and 21, 2025, a campaign was launched against state and private institutions in Poland and Romania.
The attackers used malspam to distribute a Dropbox link containing an archive that exploited several known vulnerabilities, including CVE-2025-24054, to collect NTLMv2 SSP hashes. According to initial reports, the vulnerability was exploited once the .library-ms file was unpacked.
However, Microsoft's patch documentation notes that the vulnerability can also be triggered by minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of the already patched vulnerability CVE-2024-43451, as both have several similarities.
Ähnliche Artikel:
Microsoft Security Update Summary (11. März 2025)
Patchday: Windows 10/11 Updates (11. März 2025)
Patchday: Windows Server-Updates (11. März 2025)
Patchday: Microsoft Office Updates (11. März 2025)
Advertising
