CVE-2025-24054 is a critical security vulnerability affecting Windows systems that utilize NTLM authentication. The flaw involves the disclosure of NTLM hashes or user passwords through a spoofing attack vector using maliciously crafted .library-ms files, which are Windows shell library files designed to aggregate folders and content. The exploit is triggered with minimal user interaction, such as right-clicking or simply navigating to a folder containing the malicious .library-ms file. This vulnerability is a variant of the previously patched CVE-2024-43451, sharing similar underlying mechanisms but remains unpatched in many environments. Since March 19, 2025, threat actors, notably the group UAC-0194, have actively exploited this vulnerability in targeted campaigns primarily against government and private institutions in Poland and Romania. The attack vector involves malspam emails containing Dropbox links to archives that deliver the malicious payload. The exploit requires no prior authentication and minimal user action, increasing its risk and ease of exploitation. The disclosure of NTLM hashes or passwords can enable attackers to perform credential theft, lateral movement, privilege escalation, and ultimately full system compromise. The campaign’s use of cloud storage links and social engineering tactics further complicates detection and prevention. The lack of available patches and the similarity to a previously patched vulnerability suggest that many legacy or unpatched Windows systems remain vulnerable, especially those relying on NTLM authentication and handling .library-ms files.

For European organizations, particularly in Poland and Romania where active exploitation has been observed, this vulnerability poses a significant threat to confidentiality and integrity of sensitive data. The leakage of NTLM hashes or user passwords can lead to credential theft, enabling attackers to move laterally within networks, escalate privileges, and potentially compromise entire systems. Government institutions and private sector entities handling sensitive or classified information are at heightened risk due to the targeted nature of the campaign. The minimal user interaction required to trigger the exploit increases the likelihood of successful compromise, especially in environments with less mature security awareness or endpoint protections. Furthermore, stolen credentials can be reused in subsequent attacks such as ransomware deployment or espionage, amplifying the potential damage. Organizations still relying on NTLM authentication without additional security controls are particularly vulnerable. The use of malspam and cloud storage links as delivery mechanisms means that organizations with insufficient email filtering and endpoint detection capabilities may be disproportionately affected. Given the campaign’s regional focus, other European countries with similar IT environments or geopolitical importance, such as Germany, France, Italy, the United Kingdom, and Spain, are also at risk of targeted attacks or spillover.

1. Restrict or disable processing of .library-ms files where feasible, especially in user directories and shared network locations, to prevent automatic triggering of the exploit. 2. Implement advanced email filtering rules to detect and block malspam emails containing suspicious Dropbox links or archive files, leveraging threat intelligence indicators such as the provided file hashes. 3. Enforce multi-factor authentication (MFA) across all systems to mitigate the impact of credential theft. 4. Deploy and tune endpoint detection and response (EDR) solutions to monitor for unusual NTLM authentication attempts or suspicious hash transmissions indicative of exploitation attempts. 5. Conduct targeted user awareness training emphasizing the risks of interacting with unsolicited emails and links, highlighting that minimal interaction can trigger this exploit. 6. Apply any available vendor patches or workarounds related to CVE-2024-43451 and CVE-2025-24054 promptly once released. 7. Where possible, disable or restrict NTLM authentication in favor of more secure protocols such as Kerberos to reduce attack surface. 8. Perform regular credential audits and enforce password resets if compromise is suspected to limit attacker persistence. 9. Utilize application whitelisting to prevent execution of unauthorized files and scripts that could facilitate exploitation. 10. Implement network segmentation to contain potential lateral movement following credential compromise. 11. Monitor network traffic for anomalous connections to cloud storage services like Dropbox that may be used in attack campaigns.