Hackers Exploit Critical Windows NTLM Spoofing Vulnerability

Cybersecurity researchers have discovered that hackers are actively exploiting a critical NTLM spoofing vulnerability in Windows systems, despite Microsoft having released a patch for it back in March. The ongoing attacks underscore the urgency for organizations to update their systems before more damage is done.

NTLM (New Technology LAN Manager) is a security protocol suite that is used for authenticating users and ensuring data integrity and confidentiality in network communications. It leverages a challenge-response mechanism to verify identities without sending passwords directly.

NTLM is less secure compared to modern protocols compared to modern protocols like Kerberos due to vulnerabilities such as pass-the-hash attacks. Last year, Microsoft announced the deprecation of all NTLM versions, including LANMAN, NTLMv1, and NTLMv2. However, many companies continue to use NTLM for authentication due to legacy systems and compatibility requirements. Silverfort found that around 64% of Active Directory user accounts still regularly authenticate using NTLM.

How hackers are leveraging the NTLM spoofing flaw

This security vulnerability (tracked as CVE-2025-24054) allows hackers to disclose NTLM hashes through spoofing. It could enable attackers to leak NTLMv2-SSP hashes or user passwords to potentially compromise target systems. Cybercriminals could exploit this flaw using a maliciously crafted .library-ms file that can trigger NTLM authentication requests with minimal user interaction.

Microsoft released a patch to address this NTLM spoofing vulnerability on March 11. However, Check Point researchers observed that threat actors have been actively exploiting this security flaw since March 19.

According to a new report from Check Point, the cybercriminals targeted government and private organizations, primarily in Romania and Poland. They used phishing emails with a Dropbox link to an archive that contained exploits for multiple vulnerabilities to harvest NTLMv2-SSP hashes. The goal of these attacks is to harvest NTLM hashes that could be used in future attacks to compromise systems.

“Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file,” Check Point researchers explained. “This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.”

Recommendations for IT admins

Since March 2025, Check Point researchers have observed multiple malicious campaigns targeting CVE-2025-24054. They found SMB servers associated with these campaigns in various countries worldwide, including Australia, the Netherlands, Bulgaria, Russia, and Turkey.

Check Point researchers highlight the urgent need for organizations to swiftly apply patches and address NTLM vulnerabilities due to their active exploitation. Administrators should adopt a proactive approach to patch management and network security to protect employees against potential threats.