Windows NTLM-Hash-Leak is actively exploited for attacks
Windows security gap is actively exploited by cybercriminals: even easy download or navigating to prepared .Library-MS files can be enough to steal NTLM password-hashes. The US authority CISA classifies the danger as so serious that it has issued a duty to remedy.
Password-hashes theft enables security gap
A security hole in Windows recently resolved by Microsoft, known as CVE-2025-24054 is currently being actively exploited by cybercriminals. This weak point affects all common Windows versions and enables stealing NTLM password-hashes with a minimal interaction of the users.
The external control of file names or paths in Windows NTLM enables an unauthorized attacker to carry out spoofing via a network. CVE-2025-24054
The security gap is used via specially prepared files with the ending “.Library-MS”. Downloading, unzipping or mere navigating into a folder that contains such files can trigger an attack. Windows Explorer then automatically initiates an SMB authentication request to a remote server, which reveals the user’s NTLM-Hashes.
The US cyber security authority CISA has included the weak point in its catalog of well-known security gaps and urges all US federal authorities to install the associated patch by May 8, 2025 at the latest. These measures were taken on the basis of reports on the active use of the gap in the wild.
CHECK POINT security researcher reported that the weak point has been used since March 19, 2025, only eight days after the Microsoft patch has been published.
The targeted campaign against government and private institutions in Poland and Romania between 20 and 21 March. The Publication in the KEV catalog underlines the urgency of the problem. This catalog lists security gaps, which are actively exploited and represent a significant risk, and obliges US federal authorities to resolve these vulnerabilities in a timely manner. Infographic Security on the Internet: Germans are afraid of data abuse
NTLM authentication as a weak point
NTLM (New Technology Lan Manager) is an outdated microsoft authentication protocol that uses password-hashes. Microsoft has classified NTLM as an obsolete and instead recommends using Kerberos. Check Point warns that intercepting NTLM-Hashes can lead to authentication bypasses and rights of rights. Although the severity of CVE-2025-24054 is classified as a “medium”, the potential effects are serious.
Minimal interaction, maximum danger
The simplicity of exploitation is worrying. In an attack in December 2024, an active use of a weak point became known in which the download of the files was already sufficient to reveal NTLM-Hashes. Companies should install the relevant microsoft updates immediately and deactivate the NTLM authentication if not necessary.
