A recently patched Windows vulnerability is being actively exploited in phishing campaigns targeting government and private-sector organizations, reports BleepingComputer. The flaw, tracked as CVE-2025-24054, was initially categorized as a low-risk issue but has since been weaponized in real-world attacks. Threat actors are using specially crafted
.library-ms files to exploit this vulnerability, triggering automatic outbound connections from Windows Explorer to attacker-controlled servers. These connections enable the theft of NTLM authentication hashes without requiring the user to open or run any files.NTLM, a legacy authentication protocol used in Windows environments, relies on hash-based challenge-response exchanges rather than transmitting plaintext passwords. Despite this, it has long been considered insecure due to its susceptibility to replay attacks and hash cracking. In the phishing campaigns observed, attackers embedded .library-ms files in ZIP archives or sent them directly via email, allowing them to extract NTLM hashes as soon as the files are previewed or interacted with—even minimally.Check Point researchers identified that the phishing attacks included links or attachments targeting entities in Eastern Europe, particularly Poland and Romania. The technique exploited how Windows Explorer handles .library-ms files, causing it to reach out to SMB servers under the attackers' control. In later phases of the campaign, attackers skipped the ZIP archive entirely, sending .library-ms files directly—simplifying the delivery method and reducing barriers to exploitation.Though Microsoft has released a patch, the speed at which attackers moved to exploit CVE-2025-24054 highlights the need for prompt patching and additional hardening. Organizations should not only apply the March 2025 security updates but also consider disabling NTLM authentication where feasible. Captured NTLM hashes can be leveraged for broader network compromise, making this a critical concern despite the flaw’s medium severity rating.
