Windows NTLM Hash Disclosure CVE-2025-24054: The Protocol That Won't Die

In April 2025, Microsoft patched CVE-2025-24054, an NTLM hash disclosure vulnerability that allows attackers to capture a user's NTLMv2 hash with minimal interaction. Within days of the patch, active exploitation was observed in the wild, with campaigns targeting organizations in Poland and Romania using phishing emails containing specially crafted .library-ms files.

The vulnerability is almost comically simple to trigger. A user doesn't need to open the malicious file. In some scenarios, merely navigating to a folder containing the file or selecting it in Windows Explorer is enough to leak the NTLM hash to an attacker-controlled server.

How the Vulnerability Works

CVE-2025-24054 exploits Windows' handling of .library-ms files — XML-based configuration files that define Windows Libraries (collections of folders). When Windows Explorer processes a .library-ms file, it attempts to resolve network paths embedded in the file's XML content.

The attack works like this:

1. An attacker crafts a .library-ms file containing a UNC path pointing to their server (e.g., \\attacker-server\share)
2. The file is delivered to the victim, typically via email or a file share
3. When the victim's Windows Explorer encounters the file — by browsing to the containing folder, viewing the file in the preview pane, or even right-clicking it — Windows attempts to resolve the embedded UNC path
4. This resolution triggers an NTLM authentication attempt to the attacker's server
5. The attacker captures the victim's NTLMv2 hash

The captured hash can then be:

• Cracked offline to recover the plaintext password
• Used in relay attacks to authenticate to other services as the victim
• Used in pass-the-hash attacks against systems that accept NTLM authentication

The NTLM Problem

NTLM (NT LAN Manager) is a suite of Microsoft authentication protocols first introduced in the 1990s. Despite being deprecated in favor of Kerberos for nearly 25 years, NTLM persists in enterprise environments because:

• Legacy applications require it
• Cross-domain and cross-forest authentication scenarios fall back to it
• Many third-party applications only support NTLM
• Disabling it breaks things in ways that are hard to predict

Microsoft has been gradually tightening NTLM controls. Windows 11 24H2 introduced the ability to block NTLM over SMB on a per-share basis. Group policy options exist to restrict NTLM usage. But full deprecation remains elusive because the compatibility impact is enormous.

CVE-2025-24054 is the latest in a long line of NTLM hash disclosure vulnerabilities. The technique of forcing NTLM authentication through file handling is decades old. Previous variants have used .url files, .lnk files, .scf files, .theme files, and now .library-ms files. Each new variant exploits a different file handler that processes UNC paths, but the underlying NTLM leak mechanism is always the same.

Active Exploitation

Within approximately ten days of the April 2025 Patch Tuesday release, security researchers observed active exploitation of CVE-2025-24054. The campaigns used phishing emails with archive attachments containing crafted .library-ms files alongside other NTLM-leaking file types (.url and .website files) as redundant attack paths.

The targets were primarily government and critical infrastructure organizations in Eastern Europe. Captured NTLM hashes were sent to attacker-controlled servers, with at least one infrastructure IP linked to the APT group Fancy Bear (APT28).

The speed of exploitation underscores a recurring problem: threat actors monitor Patch Tuesday releases closely, reverse-engineer the patches to identify the underlying vulnerabilities, and develop exploits faster than many organizations can deploy patches.

Severity and Scope

Microsoft rated CVE-2025-24054 as "Important" rather than "Critical" because it requires some user interaction — the user must at least navigate to a folder containing the malicious file. But the bar is so low that this classification understates the real-world risk.

Consider the practical attack scenario:

1. Attacker sends a phishing email with a ZIP attachment
2. User downloads and extracts the ZIP to their Downloads folder
3. User navigates to Downloads — hash is leaked
4. The entire exchange takes seconds and requires no execution of any malicious code

CISA added CVE-2025-24054 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by a specific deadline. This is an accurate reflection of the risk level.

Impact Assessment

The impact depends on the organization's NTLM posture:

High impact scenarios:

• Password policies allow weak or guessable passwords (hash cracking succeeds)
• NTLM relay protections (EPA, SMB signing) are not enforced
• The compromised user has administrative privileges
• The environment uses flat network architecture without segmentation

Lower impact scenarios:

• Strong, unique passwords that resist offline cracking
• NTLM relay mitigations are in place across all services
• Network segmentation limits the value of captured credentials
• MFA is enforced for all sensitive access (NTLM bypass of MFA is limited to specific scenarios)

Remediation

Immediate actions:

1. Apply the April 2025 patch: This is the primary fix
2. Block outbound NTLM traffic: If possible, block outbound SMB (TCP 445) and NTLM authentication at the firewall. Legitimate internal NTLM traffic shouldn't leave your network perimeter.
3. Enable Extended Protection for Authentication (EPA): This mitigates relay attacks
4. Require SMB signing: Prevents NTLM relay over SMB
5. Restrict NTLM usage via Group Policy: Audit and then restrict NTLM where possible

Long-term actions:

1. Inventory NTLM dependencies: Identify all applications and services that require NTLM
2. Migrate to Kerberos: Where possible, configure applications to use Kerberos authentication
3. Implement NTLM audit logging: Monitor for NTLM usage to identify candidates for migration
4. Deploy credential guard: Windows Credential Guard isolates NTLM hashes from the regular OS

The Broader Lesson

CVE-2025-24054 is a symptom of a deeper problem: legacy protocol debt. NTLM has been "deprecated" for most of the 21st century, yet it remains deeply embedded in enterprise Windows environments. Each new hash disclosure vulnerability is a reminder that deprecation without removal is meaningless from a security perspective.

Organizations should treat NTLM remediation as a multi-year strategic initiative, not a one-time patching exercise. The protocol will continue to generate vulnerabilities as long as it exists in the codebase.

How Safeguard.sh Helps

Safeguard.sh helps organizations track and manage vulnerabilities across their Windows infrastructure by maintaining detailed software inventory and vulnerability correlation data. When CVE-2025-24054 was disclosed, Safeguard.sh users with Windows asset inventory could immediately identify every affected system and prioritize patching based on exposure.

Beyond individual CVE tracking, Safeguard.sh's policy engine can enforce configuration baselines — such as requiring SMB signing, verifying NTLM restriction policies, and ensuring outbound SMB traffic is blocked at network boundaries. The platform's continuous monitoring detects configuration drift, alerting when systems fall out of compliance with hardened NTLM settings.

This combination of vulnerability awareness and configuration enforcement addresses both the immediate CVE-2025-24054 risk and the underlying NTLM exposure that enables this entire class of attacks.