A vulnerability in the Windows NTLM authentication protocol, which is known to have been actively exploited for at least a month, has been added to the US CISA’s Known Exploited Vulnerabilities Catalog.
While Microsoft deprecated NTLM last year, it remains widely used. Security researchers discovered the hash disclosure spoofing bug, and Microsoft quietly patched it in March. But the creation of a patch is one thing – having users install it is something else. By adding the vulnerability, tracked as CVE-2025-24054, to its catalog, CISA is raising aware that action needs to be taken.
See also:
In adding the NTLM vulnerability to its catalog, along with two Apple vulnerabilities, CIS says: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise”.
The specifics of CVE-2025-24054 show that it affects Windows 10, Windows 11, and Windows versions dating from 2008 to present days. The description read:
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
A directive exists that requires Federal Civilian Executive Branch (FCEB) agencies to take action to remediate such vulnerabilities (that is, install the patch), but CISA has advice for others too:
CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
This is far from being the first time issues have been found in NTLM, and security firm Check Point provides the following summary of the latest security findings:
- CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.
- Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.
- Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.
With Microsoft having patched the vulnerability with the March updates for Windows, install these updates is important for security.
Image credit: Ruslan Batiuk / Dreamstime.com