Cybersecurity and US Infrastructure Agency (CISA) on Thursday on Thursday added Lack of high school security that affects Microsoft Windows to known exploited vulnerabilities (Ship) Catalog, subsequent reports of active exploitation in the wild.
Vulnerability assigned to CVE ID Cve-2025-24054 (CVSS assessment: 6.5), this is a new Windows Local Network Manager (Ntlm) The hash -spinning fake bug that Microsoft was secured last month as part of the patch upgrade on Tuesday.
NTLM is a hereditary authentication protocol that Microsoft is officially outdated last year in favor of Kerberos. In recent years, the threats have found different technology operations such as passing and relay attacks, for ntlm hash for subsequent attacks.
“Microsoft Windows NTLM contains external file control or the vulnerability of the path that allows an unauthorized attacker to perform fake on the network,” Cisa said.
In a newsletter published in March, Microsoft said vulnerability could be caused by minimal interaction with a specially designed .library-MS fileFor example, “choice (click), check (right -click) or execution of action other than opening or executing the file”.
The technical giant also attributed to Rintaro Koike with NTT Security Holdings, 0x6RSS and J00SAN to detect and defect.
While Microsoft has given the CVE-2025-24054 assessment of the operation of the “less likely operation”, the lack of safety has since been actively exploited since March 19 for the point, allowing poor subjects to trace Hohhohhes NTLM or user passwords.
“About 20-21 March 2025, a company aimed at government and private institutions in Poland and Romania,” cybersecurity campaign – Note. “The attackers used Malspam to distribute the DropBox link containing an archive that exploits several known vulnerabilities, including CVE-2025-24054, to collect the NTLMV2-SSP.
The disadvantage is rated as an option Cve-2024-43451 (CVSS Assessment: 6.5), which was secured by Microsoft in November 2024, and was armed in the wild in the attacks directed UAC-0194 and Room.
According to Check Point, the file is distributed using the ZIP archives, resulting in Windows Explorer initiated an SMB authentication for a remote server and a NTLM user’s hasha without users interacting, just when downloading and extracting the archive content.
Given this, another phishing campaign was found recently, as March 25, 2025, was found to deliver a file called “Info.doc.library- MS” without compression. From the first wave of attacks, at least 10 companies were observed to obtain Hoshes from the NTLM target.
“These attacks used malicious files. Library-MS to collect NTLMV2 hash and escalation of the risk of lateral motion and escalation of privileges within disturbed networks,” the Check Point said.
“This quick exploitation emphasizes the critical need for organizations to immediately apply patches and ensure that NTLM’s vulnerabilities will be resolved in their conditions. The minimum interaction of users needed to operate to launch and ease with which the attackers can access the NTLM hashels, make it a significant threat, especially if you are used. The pass pass.
Federal Civil Executive Agency (FCEB) agencies must apply the necessary corrections for the shortage by May 8, 2025 to provide their networks in light of active operation.
