Security researchers at Check Point have uncovered a widespread attack campaign exploiting a recently discovered Windows NTLM vulnerability (CVE-2025-24054). The attacks began merely a week after Microsoft’s March 2025 security patch release, demonstrating cybercriminals’ rapid response to new security flaws. This vulnerability, rated 6.5 on the CVSS scale, enables attackers to harvest Windows user authentication credentials through NTLM hash theft.
Understanding the Vulnerability Exploitation Mechanism
The vulnerability’s exploitation is remarkably straightforward, requiring minimal user interaction – simply opening or right-clicking a malicious file triggers the attack. Threat actors primarily distribute ZIP archives containing specially crafted .library-ms files. When users interact with these files, Windows Explorer automatically initiates SMB authentication to a remote server, resulting in the silent compromise of the user’s NTLM hash.
Attack Campaign Analysis and Geographic Distribution
Between March 19-25, 2025, researchers identified over ten distinct malicious campaigns targeting CVE-2025-24054. The stolen NTLM hashes were transmitted to command-and-control servers located across multiple countries, including Australia, Bulgaria, Netherlands, Russia, and Turkey. The campaigns showed particular focus on government institutions and private organizations in Poland and Romania.
Threat Actor Tactics and Security Implications
Upon obtaining NTLM hashes, attackers typically employ two primary attack vectors: password cracking through brute-force attacks or relay attacks. The severity of compromise depends on the stolen account’s privilege level, potentially enabling lateral movement across networks, privilege escalation, and complete domain compromise.
Advanced Persistent Threat Connection
Analysis of the malicious infrastructure revealed characteristics commonly associated with the notorious APT group Fancy Bear (APT28/Forest Blizzard/Sofacy). However, researchers emphasize that current evidence remains insufficient to definitively attribute these attacks to specific threat actors.
Organizations must take immediate action to protect against this actively exploited vulnerability. Critical security measures include promptly installing Microsoft’s latest security updates, implementing robust network monitoring (particularly for suspicious SMB requests), and conducting comprehensive security awareness training focusing on file handling from untrusted sources. Additionally, implementing multi-factor authentication and network segmentation can significantly reduce the risk of credential theft attacks.
