A new vulnerability, tracked as CVE-2025-24054, is currently being actively exploited to steal the NTLM hash from Windows systems, often with little or no user interaction. 

This serious security concern once again highlights the dangers of relying on legacy protocols like NTLM and the importance of swift patching and proactive defense.

This article will help you to understand how this vulnerability works, what the risks are, and how to protect your organization from NTLM hash theft and misuse.

NTLM Hash

What Is CVE-2025-24054?

CVE-2025-24054 is a Windows spoofing vulnerability that allows attackers to trick a system into leaking NTLM hash, which are encoded versions of a user’s password used in NTLM authentication. 

Despite Microsoft officially deprecating NTLM in favor of the more secure Kerberos protocol, many organizations still have NTLM enabled for compatibility reasons. This leaves systems exposed to NTLM hash leaks, which can be exploited in pass-the-hash attacks and other forms of credential misuse.

This vulnerability is classified as an NTLM hash disclosure issue that occurs through spoofed file interactions. It carries a CVSS score of 6.5, marking it as a medium-severity flaw. 

What makes this threat particularly dangerous is how easy it is to trigger; all an attacker needs to do is get a user to click, preview, or right-click a malicious .library-ms file, without requiring the user to open or execute it. This vulnerability is being actively exploited in real-world attacks, making immediate mitigation a high priority.

 

How NTLM Hash Theft Happens in Detail?

Unfortunately, this attack is very simple and is also highly effective.

Here are the detailed steps of how it happens:

  1. The attacker sends a malicious file, often named something like Info.doc.library-ms, via phishing email or download link.

  2. The victim clicks or previews the file.

  3. Without warning, Windows tries to access a remote location embedded in the file.

  4. This causes the system to send the NTLM hash to an attacker-controlled server over SMB or WebDAV.

  5. The attacker now has the victim’s NTLM hash, which can be:

    • Cracked offline to reveal the password
    • Used directly in a pass-the-hash attack to access other systems

These attacks require almost no user interaction, making them hard to detect and very effective in phishing campaigns.

 

Why NTLM Hash Exposure Is a Major Threat?

With access to NTLM hashes, cybercriminals can:

  • Move laterally within a network

  • Escalate privileges

  • Access sensitive systems and data

  • Launch pass-the-hash attacks without needing to crack the password

Even a single NTLM hash leak can lead to full domain compromise in a poorly segmented or unmonitored environment.

 

How to Protect Your Business from NTLM Hash Theft

At Meta Techs, we recommend taking these steps immediately to prevent NTLM hash disclosure in your network:

1. Apply Microsoft’s Security Patch

Microsoft released a fix for CVE-2025-24054 in March 2025. Apply this update immediately across all systems. 

2. Block Outbound NTLM Authentication

Use firewall rules and endpoint protection to block SMB and WebDAV traffic to external IP addresses. This prevents NTLM hashes from being sent to malicious servers.

3. Disable NTLM Where Possible

If your network supports it, disable NTLM entirely through Group Policy and enforce Kerberos or modern authentication protocols.

4. Scan for .library-ms Files

Audit your environment for any .library-ms files received via email or downloaded from external sources. Treat these as high-risk.

5. Train Employees to Recognize Threats

Inform users not to open or preview unexpected files, especially if they come in email attachments or suspicious downloads.

 

Conclusion:

The active exploitation of CVE-2025-24054 is a powerful reminder that even medium severity bugs can have high-impact results, especially when NTLM hashes are involved.

NTLM hash theft continues to be a popular method for attackers to gain initial access and move within a network.

 By keeping systems updated, disabling legacy protocols, and training users to avoid risky behavior, organizations can reduce their exposure significantly.

 

Contact Meta Techs Today

 

 

Related posts:

Website Hack RepairWebsite hack repair service with meta techs FawryFawry comments on cyber attacks and data leaking data retention policy best practicesEffective Policy for data retention policy best practices fortinet vulnerability 2024the Latest fortinet vulnerability 2024 ISO 27001What Is ISO 27001?, Core Principles, Benefits, and Requirements Cylance Protect AntivirusCylance Protect Antivirus for Your Digital Assets

More articles