Miscreants Weaponize 'Low-Exploitability' Microsoft Bug in Just 8 Days

On March 11, during the usual Patch Tuesday updates, Microsoft rolled out a slew of bug fixes. However, just eight days later, miscreants had already weaponized one of these vulnerabilities, using it to target government and private sector organizations in Poland and Romania.

The affected vulnerability is CVE-2025-24054, an NTLM hash-leaking vulnerability that Microsoft had rated as "less likely" to be exploited. Despite this rating, attackers were able to build malware that abused the bug, according to researchers at Check Point. The malicious campaign was swift and targeted, with attacks observed in multiple countries by March 25.

How Attackers Exploited the Vulnerability

The attack began with phishing emails luring victims into downloading a Dropbox-hosted ZIP archive called xd.zip. Inside the archive were four booby-trapped files, including a .library-ms file that exploited CVE-2025-24054. Even simply unzipping the archive or viewing the folder in Windows Explorer was enough to trigger an outbound SMB authentication attempt, leaking the victim's Net-NTLMv2 hash to a remote server controlled by the attackers.

The stolen NTLM hashes were exfiltrated to a specific IP address: 159.196.128[.]120 – an address previously flagged by HarfangLab in January as linked to APT28, aka the Russia-backed Fancy Bear hacking group. However, there's no further information directly associating this IP with the group, according to Check Point.

Evolution of the Attack Campaign

By March 25, attackers had shifted their tactics and began emailing standalone .library-ms files directly to targets. This change marked a significant evolution in the attack campaign, as it demonstrated that attackers could bypass traditional phishing tactics with minimal user interaction.

The new attack vector required only a single-click or right-click of the malicious file to trigger the exploit. This was made possible by the fact that Microsoft had rated the vulnerability as "less likely" to be exploited – yet attackers were able to quickly adapt and weaponize it in just eight days.

Implications for Organizations

The rapid exploitation of this vulnerability highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments. According to Check Point, the minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks.

"This rapid exploitation underscores the importance of timely patching and proactive measures to prevent such attacks," said Check Point. "Organizations must prioritize the security of their environments and take immediate action to address this vulnerability."