NTLM Hash Exploit Targets Poland and Romania Days After Patch

Posted on by

A vulnerability allowing attackers to leak NTLM authentication hashes with minimal user interaction has been actively exploited just days after Microsoft released a patch.

The flaw, tracked as CVE-2025-24054, affects Windows systems and can be triggered using a specially crafted .library-ms file.

Once a user interacts with the file – even by simply navigating to its folder – Windows initiates an SMB authentication request, leaking the NTLMv2-SSP hash to an attacker-controlled server.

Exploit Active Before Patch Adoption

Although Microsoft issued a fix for the issue on March 11 2025, threat actors began exploiting it in the wild by March 19.

Within days, researchers observed a coordinated campaign targeting institutions in Poland and Romania.

The attackers delivered malicious .library-ms files via Dropbox links embedded in phishing emails. These files, once downloaded and extracted, triggered NTLM hash leakage without the need for the user to open or execute anything.

“Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file,” Check Point Research said.

“This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.”

Widespread Campaign Activity

The first known campaign exploiting this vulnerability occurred around March 20-21, using an archive named xd.zip. This archive contained four malicious files designed to harvest NTLMv2 hashes:

  • xd.library-ms – triggering CVE-2025-24054 to leak NTLMv2 hashes
  • xd.url – linked to CVE-2024-43451 and exploited via UNC path
  • xd.website – using UNC references to initiate SMB connections
  • xd.lnk – a shortcut triggering SMB-based hash leakage

Read more on NTLM relay attacks and their risks: TA577 Exploits NTLM Authentication Vulnerability

SMB servers receiving the stolen credentials were located in Russia, Bulgaria, the Netherlands, Australia and Turkey.

One such server, associated with IP address 159.196.128[.]120, had previously been flagged by cybersecurity firm HarfangLab in connection to APT28 (Fancy Bear), though no direct attribution has been confirmed for this campaign.

In the days that followed, Check Point Research identified approximately 10 additional campaigns, with one particularly concerning wave observed by March 25.

This campaign differed by delivering unarchived .library-ms files, which triggered NTLM hash leaks through minimal user interaction – sometimes just by navigating to the containing folder.

This minimal interaction requirement elevates the threat level, particularly for systems without SMB signing or NTLM relay protections.

Microsoft acknowledged the severity of the flaw and released a security patch on March 11, initially cataloged as CVE-2025-24071, later corrected to CVE-2025-24054.