Windows NTLM hash leak flaw exploited in phishing attacks on governments

A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. The flaw tracked as CVE-2025-24054 was fixed in Microsoft's March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as 'less likely' to be. However, Check Point researchers report having observed active exploitation activity for CVE-2025-24054 only a few days after patches became available, culminating between March 20 and 25, 2025. Although one IP address behind these attacks was previously linked to the Russia state-sponsored threat group APT28 ('Fancy Bear'), it is not enough evidence for confident attribution. Exposing NTLM hashes NTLM (New Technology LAN Manager) is a Microsoft authentication protocol that uses challenge-response negotiation involving hashes instead of transmitting plaintext passwords to authenticate users. While NTLM avoids transmitting p ... Read full article.