{"uuid": "00b15597-d2d6-413f-b3a1-38c62db1e6b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "CVE-2025-24054, NTLM Exploit in the Wild - Checkpoint Research", "description": "- CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.\n \n - Around March 20\u201321, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.\n  \n\t- Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft\u2019s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.\n\n\nFor more details: [CVE-2025-24054, NTLM Exploit in the Wild](https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/)", "description_format": "markdown", "vulnerability": "CVE-2025-24054", "creation_timestamp": "2025-04-18T12:00:09.819215+00:00", "timestamp": "2025-04-18T12:00:09.819215+00:00", "related_vulnerabilities": ["CVE-2024-43451", "CVE-2025-24054"], "meta": [{"tags": ["vulnerability:exploitability=industrialised", "vulnerability:information=annotation", "vulnerability:origin=software"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}