Threat Overview

The Security Operations Center (SOC) has identified a critical threat report published by CheckPoint on April 16, 2025. The report details CVE-2025-24054, an NTLM exploit that is actively being used in the wild. This vulnerability allows attackers to disclose NTLM hashes through spoofing techniques, leveraging maliciously crafted .library-ms files.

Short Description of the Report

CVE-2025-24054 is a significant security flaw related to NTLM hash disclosure via spoofing. Attackers can exploit this vulnerability using specially designed .library-ms files. Active exploitation has been observed since March 19, 2025, potentially enabling attackers to leak NTLM hashes or user passwords and compromise systems.

Microsoft released a patch for this vulnerability on March 11, 2025. However, threat actors had over a week to develop and deploy exploits before the vulnerability began to be actively abused. This highlights the importance of timely patch management and continuous monitoring within an organization’s security infrastructure.

Confidence Level and Reliability

The confidence level for this report is 100%, indicating that the information provided is highly reliable. The reliability of the report is rated as A – Completely reliable, ensuring that the data can be trusted for making critical security decisions.

Revoke Status

As of now, the revoke status for this threat report is false, meaning that the information remains valid and actionable.

Number of Connected Elements

The report contains 27 connected elements, providing a comprehensive overview of the threat landscape associated with CVE-2025-24054. These elements include detailed technical analysis, indicators of compromise (IOCs), and mitigation strategies.

External References

For additional information, please refer to the following external references:

1. CheckPoint Research: https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
2. AlienVault OTX Pulse: https://otx.alienvault.com/pulse/67ffb90566f96c4f4cef48df

Recommendations for Mitigation

To protect against the CVE-2025-24054 NTLM exploit, organizations should consider the following recommendations:

1. Patch Management: Ensure that all systems are patched with the latest security updates from Microsoft. Prioritize patching systems that handle sensitive data or have access to critical infrastructure.

2. Network Segmentation: Implement network segmentation to limit the spread of potential exploits within the organization’s network. This can help contain any breaches and prevent lateral movement by attackers.

3. Monitoring and Detection: Deploy advanced threat detection tools to monitor for suspicious activities related to NTLM hash disclosure. Use Security Information and Event Management (SIEM) systems to correlate logs and identify potential threats in real-time.

4. User Education: Educate users about the risks associated with phishing attacks and malicious files. Encourage them to be cautious when opening email attachments or downloading files from untrusted sources.

5. Access Controls: Implement strict access controls to limit who can access sensitive data and systems. Use the principle of least privilege (PoLP) to ensure that users have only the permissions necessary for their roles.

6. Regular Audits: Conduct regular security audits to identify vulnerabilities and assess the effectiveness of existing security measures. Address any gaps or weaknesses promptly to enhance overall security posture.

7. Incident Response Plan: Develop and maintain an incident response plan to quickly respond to potential breaches. Ensure that all stakeholders are aware of their roles and responsibilities in case of a security incident.

Conclusion

The CVE-2025-24054 NTLM exploit poses a significant threat to organizations, potentially leading to the compromise of sensitive data and systems. By following the recommendations outlined above, organizations can enhance their security posture and protect against this emerging threat. Stay informed about the latest developments in cybersecurity and remain vigilant to safeguard your organization’s assets.

For more detailed information, please visit the CheckPoint Research page on CVE-2025-24054: https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/