Summary: A Windows vulnerability, CVE-2025-24054, is being actively exploited in phishing campaigns to capture NTLM hashes from users in government and private sectors. The exploit uses .library-ms files to trigger SMB connections that allow attackers to capture NTLM hashes with minimal user interaction. Organizations are urged to apply the March 2025 updates and consider disabling NTLM authentication due to the severe implications of this flaw.
Affected: Microsoft Windows systems
Keypoints :
- Exploitation activities observed shortly after Microsoft released patches for CVE-2025-24054.
- Phishing emails contained .library-ms files that automatically triggered connections to attacker-controlled SMB servers.
- Despite being labeled as “medium” severity, the potential for authentication bypass makes this a high-risk issue; organizations should act promptly.