Windows NTLM Hash Disclosure via Spoofing, CVE-2025-24054

CVE-2025-24054 is a Windows NTLM hash disclosure spoofing vulnerability. In short, a crafted file or path can coerce a Windows host to initiate NTLM authentication to an attacker-controlled endpoint, leaking the user's NTLM challenge/response over the network. Microsoft addressed the bug in the March 11, 2025 Patch Tuesday, and multiple vendors report active exploitation beginning mid-March 2025, largely via phishing lures that deliver specially crafted files (commonly .library-ms).

While Microsoft's patch reduces exposure, defenders should treat NTLM credential leakage as a class of issues similar techniques resurface, and a related 2025 bulletin notes bypass research of the original fix. Your durable defenses are to minimize NTLM usage, block outbound SMB/NTLM where possible, harden file-handling and attachment policies, and monitor for coercion patterns.

What exactly is vulnerable?

Per NVD/MITRE, the root flaw is external control of file name or path within Windows NTLM flows, enabling a network spoofing scenario. An attacker entices a victim to process a crafted resource that references a remote UNC path. Windows attempts NTLM authentication to that path, disclosing credential material that can be cracked offline or used in relay attacks if other controls are weak. CVSS and vendor tracking place this in the network, low-complexity bucket with user interaction required.

Typical delivery uses a .library-ms file type that can point to remote locations and trigger network access with minimal interaction. Campaign write-ups and advisories confirm .library-ms was seen in the wild in March–April 2025.

Threat model and real-world abuse

Attackers send a phishing email with a compressed attachment or direct link containing a file that references a remote UNC path (e.g., \\attacker-host\share). When the victim previews or opens it, Windows tries to enumerate the remote location, initiating NTLM. If the outbound traffic reaches the attacker, NTLMv2 challenge/response is captured. From there, actors may:

Perform offline cracking of the NTLM hash to reveal the password.
Attempt NTLM relay against services that don't enforce signing or extended protection.

Public advisories and vendor portals list the CVE, affected Windows families, and the March 2025 cumulative updates carrying the fix. CISA's KEV catalog entries and multiple vendors state active exploitation.

Safe, controlled lab: observe the behavior without harvesting credentials

The following is designed for defensive education on your own systems in an isolated lab. It does not include weaponized payloads or tools to capture/crack credentials.

Lab goals

You will simulate a remote path reference and observe Windows initiating NTLM to that path, using logging and packet capture. You will not collect or use the credential material.

Prereqs

Two isolated VMs (no internet):
- Victim: Windows 11 (fully patched) or Windows Server 2022/2025.
- Observer: Any OS that can run a basic SMB listener or at least capture traffic (another Windows or Linux VM).
A virtual switch or host-only network between them.
Wireshark or Windows built-in logging on the Observer VM.

Step 1 — Prepare the observer endpoint

On the Observer VM, you just need to see connection attempts to 445/tcp (SMB) or 139/tcp. If using Windows:

# On OBSERVER (Windows), enable firewall log for dropped/allowed connections
Set-NetFirewallProfile -LogAllowed True -LogFileName '%systemroot%\system32\LogFiles\Firewall\pfirewall.log'
 
# Open a basic listener to confirm reachability (no auth handling, just a socket)
# NOTE: This is NOT an SMB server; we only observe inbound connection attempts.
# Requires Windows 11/Server 2022+ with NetTCPIP tools, or use 'nc -l -p 445' on Linux.
netsh interface portproxy add v4tov4 listenport=445 listenaddress=0.0.0.0 connectaddress=127.0.0.1 connectport=9

If using Linux as Observer, simply run a packet capture:

# On OBSERVER (Linux)
sudo tcpdump -i eth0 tcp port 445 -vvv -w ntlm_lab.pcap

This records connection attempts without implementing SMB or saving credentials.

Step 2 — Create a benign UNC reference

On the Victim, create a shortcut that points to a UNC path on the Observer (replace with your observer's lab IP):

$observer = "192.168.56.10"   # Observer VM IP in your lab
$path = "\\$observer\share"   # We don't need the share to exist for connection attempts
$wsh = New-Object -ComObject WScript.Shell
$sc = $wsh.CreateShortcut("$env:USERPROFILE\Desktop\RemoteTest.lnk")
$sc.TargetPath = $path
$sc.IconLocation = "shell32.dll,3"
$sc.Description = "Benign UNC reference for NTLM lab"
$sc.Save()

Why a shortcut? Modern lure files often embed remote UNC references. A shortcut is a safe stand-in to show the same initial network behavior without distributing a crafted .library-ms.

Step 3 — Observe the network touch

On the Observer, start Wireshark or ensure tcpdump is running. On the Victim, single-click or open the shortcut to list the remote location. If egress to the observer is allowed, you should see an SMB session setup attempt. You are not capturing or responding with an SMB challenge—and thus you aren't harvesting credentials—only verifying that the interaction occurs.

If you can't see traffic, ensure the lab network allows 445/tcp between VMs and the Victim can route to the Observer.

Step 4 — Inspect local telemetry (Victim)

Enable and review NTLM and SMB logs locally to confirm the attempt:

# Turn on NTLM auditing (requires restart of LSA to fully apply)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v AuditLevel /t REG_DWORD /d 3 /f
 
# Enable Object Access auditing (Local Security Policy > Advanced Audit Policy)
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

After interacting with the shortcut, check Event Viewer:

Applications and Services Logs > Microsoft > Windows > SMBClient/Connectivity
Security log for Logon events indicating network logon attempts.

This lab demonstrates how user interaction with a remote path reference can provoke NTLM activity—the behavioral core of CVE-2025-24054—without exploit code or credential capture. Public reports indicate threat actors replace the benign shortcut with crafted formats (e.g., .library-ms) to smooth user interaction and improve reliability.

Why this matters even after patching?

The vulnerability class (NTLM coercion/leakage) persists wherever NTLM is still enabled and outbound SMB is reachable.
Research indicates bypass avenues can emerge around specific patches, reinforcing the need for systemic controls (disable NTLM where possible, enforce SMB signing, block outbound SMB).

Blue-team response: layered mitigations that age well

Patch comprehensively. Apply the March 2025 cumulative updates for your Windows versions and later updates that refine the fix. Validate via your patch telemetry and vulnerability scanners (e.g., Tenable plugins tied to the monthly KBs).

Constrain or eliminate NTLM. Move toward Kerberos-only where feasible. At minimum, enable NTLM auditing, configure “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers”, and create a deny list for NTLM to untrusted servers.

# Example: set NTLM to deny to remote servers except allowed list (test carefully!)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
# 0=Disabled, 1=Allow All, 2=Deny All (use with exceptions via "ClientAllowedNTLMServers")
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v ClientAllowedNTLMServers /t REG_MULTI_SZ /d "fileserver1.corp.local\nas01.corp.local" /f

Block outbound SMB/NTLM to the internet. At your edge egress, block tcp/445 and tcp/139. Internally, segment and limit these flows to known file servers.

# Example host firewall rule (augment with perimeter egress controls)
New-NetFirewallRule -DisplayName "Block Outbound SMB" -Direction Outbound -Action Block -Protocol TCP -RemotePort 445,139

Enforce SMB signing and channel binding to blunt relays and strengthen integrity.

# Require SMB signing (client side)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f
# Require SMB signing (server side)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f

Harden file-handling & mark-of-the-web (MotW). Ensure MotW enforcement is on, SmartScreen is active, and suspicious file types are blocked from untrusted origins. Where possible, block .library-ms from email/web origins or handle via Protected View/containers. (Multiple advisories tie active exploitation to this file type.)

Use ASR and application control. Attack Surface Reduction rules that block Office from creating child processes, block Win32 API calls from Office macros, and constrain script interpreters materially reduce phish-to-execution paths—even if a file is opened.

# Example: enable selected ASR rules (GUIDs are examples; validate in your environment)
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A, 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled, Enabled

Monitor for coercion patterns. Hunt for:

Outbound SMB from user workstations to unknown IPs/domains.
NTLM logons to non-file-server assets.
First-time .library-ms executions or file-open events from email temp paths or browser caches.
SMB client warnings and Security Logon events (Network Logon types) with unexpected destinations.

CISA and multiple vendors highlight active exploitation; prioritize detection and response accordingly.

Protect credentials at rest and in memory. Enable Windows Defender Credential Guard and LSA protection to reduce post-leak blast radius.

# Enable LSA protection (requires reboot)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

Incident response quick notes

If you suspect exposure:

Triage email and web gateways for suspicious attachments or links related to .library-ms and other container formats around the user's compromise window.
Query egress for SMB flows to external IPs.
Assess NTLM auditing logs for attempts to unknown hosts.
Rotate affected credentials and check for lateral movement attempts using relays.
Accelerate NTLM reduction and validate SMB signing policies.

FAQ

Is CVE-2025-24054 patched? Yes. Microsoft shipped fixes on March 11, 2025 as part of the monthly cumulative updates. Keep up with subsequent updates and validate deployment in your fleet and scanners.

Was it exploited in the wild? Yes—multiple sources report active exploitation in March-April 2025.

Is this the end of NTLM leakage issues? Not necessarily. New research has explored bypasses to parts of the original fix; therefore, defense-in-depth (disable NTLM where feasible, enforce signing, block outbound SMB) remains essential.

References

NVD & MITRE records for CVE-2025-24054 with classification and CVSS.
Vendor and research advisories noting .library-ms lures and in-the-wild exploitation.
Patch and scanner coverage mapping to March 2025 cumulative updates.
CISA KEV catalog entry and exploitation notes.

A note on responsible reproduction

You asked for step-by-step reproduction and code samples. This article gives you a safe lab that demonstrates the network-auth behavior without enabling credential capture or exploitation against systems you don't own. Sharing weaponized PoCs or crack/relay instructions would meaningfully facilitate misuse, so they're intentionally excluded here. If you're a defender or researcher with a legitimate need to test end-to-end in your own environment, apply the mitigations first, conduct testing on isolated hosts, and coordinate with your internal security review process.

Love it? Share this article: