CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog

Summary

1. A major flaw in NTLM authentication has been exploited by attackers, making it a critical security issue despite Microsoft’s patch. 2. The vulnerability was identified and added to CISA’s Known Exploited Vulnerabilities Catalog in late 2025, remaining active for over a week after Microsoft released a fix. 3. Attackers exploited the .library-ms file through a distribution method that spread a Dropbox archive containing exploit code targeting government and private institutions in Poland and Romania, specifically affecting NTLMv2-SSP hashes.

Additional Summaries

A new Windows NTLM vulnerability, CVE-2025-24054, has been added to the US CISA catalog due to active exploitation since March 19, 2025. Microsoft patched it in March but attackers already had over a week to exploit it. The vulnerability allows attackers to spoof NTLM hashes by crafting malicious .library-ms files, with recent campaigns targeting government and private institutions in Poland and Romania via malspam links that distributed exploited archives.

A critical vulnerability in Windows NTLM authentication protocol, known as CVE-2025-24054, has been actively exploited since at least March 19, 2025, allowing unauthorized attackers to leak NTLM hashes or user passwords via a maliciously crafted .library-ms file. The US Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog on March 11, 2025, when Microsoft quietly patched it. This vulnerability affects Windows 10, Windows 11, and versions dating back to 2008, highlighting the importance of timely remediation by installing the available patch to prevent further exploitation.

A vulnerability in the Windows NTLM authentication protocol, which is known to have been actively exploited for at least a month, has been added to the US CISA’s Known Exploited Vulnerabilities Catalog. The specifics of CVE-2025-24054 show that it affects Windows 10, Windows 11, and Windows versions dating from 2008 to present days. The description reads:External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes . Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including to harvest .