Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)

CVE-2025-24054, a Windows NTLM hash disclosure vulnerability that Microsoft has issued patches for last month, has been leveraged by threat actors in campaigns targeting government and private institutions in Poland and Romania.

“Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems,” Check Point researchers have shared.

About CVE-2025-24054

CVE-2025-24054 allows attackers to capture the NTLMv2 response (i.e., the NTLMv2-SSP hash) sent by the victims’ machine to an attacker-operated SMB server that initiated an authentication request.

Attackers can attempt to attempt to brute-force this captured hash offline or can use it to perform relay attacks.

“NTLM relay attacks fall under the category of man-in-the-middle (MitM) attacks that exploit the NTLM authentication protocol. Instead of cracking the password, the attacker captures the hash and passes it to another service to authenticate as the user,” the researchers explained.

“NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network.”

CVE-2025-24054, privately disclosed to Microsoft by three researchers, was considered by the company to be “less likely” to be exploited.

Microsoft had initially assigned CVE-2025-24071 to the vulnerability, but later created a new identifier: CVE-2025-24054. Both were patched on March 11, 2025 and both can allow an unauthorized attacker to perform spoofing over a network, but the former requires the target to open a folder that contains a specially crafted file, while the latter requires them only to interact with (e.g., select, inspect, move) the malicious file, and not necessarily to open and execute it.

In that respect, CVE-2025-24054 is similar to CVE-2024-43451, a vulnerability that was exploited in 2024 as a zero-day to target Ukrainian entities.

The spotted attack campaigns

One of the researchers who initially flagged CVE-2025-24054 released a PoC exploit and a technical write-up on the flaw on March 16 and 18, respectively.

Check Point researchers say that the first attacks leveraging CVE-2025-24054 were spotted on March 19, and that the campaign targeting government and private institutions in Poland and Romania started around March 20 and March 21.

“The campaign consisted of targeted the victims via email phishing links, which include an archive file,” the researchers explained.

“The archive xd.zip was downloaded from Dropbox and contained files with the sole purpose of leaking NTLMV2-SSp hashes. Those four embedded files contacted a malicious SMB server with IP address 159.196.128[.]120.”

One of the files contained in the archive triggered CVE-2025-24054, while another exploited CVE-2024-43451. According to a previous report by HarfangLab researchers, the IP address of the server has been previously linked to APT28, aka Fancy Bear or Forest Blizzard.

Until March 25, Check Point have observed approximately 10 additional campaigns with the end goal of retrieving NTLMV2-SSp hashes from the targeted victims. On that day, they spotted one targeting companies around the world.

The phishing emails were carefully constructed to trick targets into downloading the attachment containing an unzipped exploit file:

Phishing email with exploit file attached (Source: Check Point Research)

“As soon as victims downloaded the exploit, their NTLMV2-SSp hashes were leaked,” the researchers explained.

Fixes for CVE-2025-24054

Even if they are not generally considered to be as high-risk as flaws leading to remote code execution, it’s become obvious that some attackers are ready to take advantage of NTLM vulnerabilities quickly and patches for them should be prioritized – especially because NTLMv2 is still widely used for authentication even though Microsoft has officially deprecated all NTLM versions last year and urged users to switch to Kerberos.

Microsoft has released patches for CVE-2025-24054 for all supported Windows and Windows Server versions, but for those still using older, unsupported versions – e.g., Windows 7, Windows 10 v21H2, Windows Server 2008 R2 and Server 2012 R2 – micropatching is a viable solution.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!