Microsoft - NTLM Hash Disclosure Spoofing (library-ms)
Microsoft - NTLM Hash Disclosure Spoofing (library-ms)
AI Analysis
Technical Summary
The Microsoft NTLM Hash Disclosure Spoofing vulnerability, identified as CVE-2025-24054, involves a security flaw in the handling of .library-ms files within Microsoft Windows. Originally reported in 2018 and publicly disclosed that same year, the vulnerability was initially considered by Microsoft as not severe enough to warrant immediate remediation. However, after further research and re-reporting, Microsoft retroactively recognized the issue's importance and assigned a CVE identifier in 2025. The vulnerability allows an attacker to remotely exploit the way Windows processes .library-ms files to disclose NTLM hashes. NTLM (NT LAN Manager) hashes are used in Windows authentication protocols, and their disclosure can facilitate credential theft and subsequent lateral movement within networks. The exploit code is publicly available and written in Perl, indicating that attackers can automate the exploitation process. The attack is local in nature but can be triggered remotely, suggesting that an attacker with network access to a vulnerable system could leverage this flaw without requiring user interaction or prior authentication. The disclosure timeline shows a significant delay between initial reporting and recognition, highlighting the subtlety and complexity of the vulnerability. The exploit targets Windows systems that process .library-ms files, which are used by Windows to manage library folders. The flaw allows attackers to spoof or manipulate these files to extract NTLM hashes, potentially enabling credential replay or pass-the-hash attacks. Given the nature of NTLM hashes and their role in authentication, this vulnerability poses a risk to confidentiality and integrity of user credentials and can lead to broader compromise within affected environments.
Potential Impact
For European organizations, this vulnerability presents a significant risk, especially for enterprises heavily reliant on Windows infrastructure and legacy authentication protocols like NTLM. Disclosure of NTLM hashes can lead to credential theft, enabling attackers to impersonate legitimate users, escalate privileges, and move laterally across networks. This can result in unauthorized access to sensitive data, disruption of services, and potential data breaches. Sectors such as finance, government, healthcare, and critical infrastructure in Europe are particularly at risk due to their reliance on Windows environments and the high value of their data. Additionally, organizations with remote or hybrid work models may face increased exposure if network access controls are insufficient. The availability of exploit code in Perl lowers the barrier for attackers, increasing the likelihood of exploitation. Although the vulnerability requires local access, the possibility of remote triggering expands the attack surface. The medium severity rating may underestimate the potential cascading effects of credential compromise in complex enterprise networks. Therefore, European organizations must consider this vulnerability as a serious threat to their cybersecurity posture.
Mitigation Recommendations
1. Immediate application of any available Microsoft patches or updates addressing CVE-2025-24054 is critical. Even if no direct patch exists yet, monitor Microsoft’s security update guide closely for releases. 2. Implement network segmentation to limit access to systems processing .library-ms files, reducing the attack surface for remote exploitation. 3. Enforce strict network access controls and monitor for unusual access patterns to Windows file shares and library folders. 4. Disable or restrict the use of NTLM authentication where possible, migrating to more secure protocols such as Kerberos. 5. Employ multi-factor authentication (MFA) to reduce the impact of credential theft. 6. Conduct regular credential hygiene practices, including frequent password changes and use of strong, unique passwords. 7. Deploy endpoint detection and response (EDR) solutions to identify suspicious activities related to .library-ms file handling or NTLM hash extraction attempts. 8. Educate IT and security teams about the specific nature of this exploit and the risks associated with NTLM hash disclosure. 9. Use network intrusion detection systems (NIDS) with signatures or heuristics tuned to detect exploitation attempts leveraging this vulnerability. 10. Restrict the execution of unauthorized scripts or binaries, including Perl scripts, on critical systems to hinder exploit deployment. These measures, combined with vigilant monitoring and incident response readiness, will help mitigate the risk posed by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- exploit-code: # Exploit title: Microsoft - NTLM Hash Disclosure Spoofing (library-ms) # Exploit Author: John Page (aka hyp3rlinx) # x.com/hyp3rlinx # ISR: ApparitionSec Back in 2018, I reported a ".library-ms" File NTLM information disclosure vulnerability to MSRC and was told "it was not severe enough", that being said I post it anyways. Seven years passed, until other researchers re-reported it. Subsequently this security flaw was finally deemed important by Microsoft and it received CVE-2025-24054, for which I was finally retroactively credited as the original reporter. Circa 2025 updated: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 [References] https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt https://packetstorm.news/files/id/148556/ https://cxsecurity.com/issue/WLB-2018070160 [Network Access] Remote [Original Disclosure Timeline] Vendor Notification: Jun 29, 2018 MSRC Response: Jul 12, 2018 "risk is not severe enough to justify immediate servicing." July 14, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content copyright (c). hyp3rlinx
Microsoft - NTLM Hash Disclosure Spoofing (library-ms)
Description
Microsoft - NTLM Hash Disclosure Spoofing (library-ms)
AI-Powered Analysis
Technical Analysis
The Microsoft NTLM Hash Disclosure Spoofing vulnerability, identified as CVE-2025-24054, involves a security flaw in the handling of .library-ms files within Microsoft Windows. Originally reported in 2018 and publicly disclosed that same year, the vulnerability was initially considered by Microsoft as not severe enough to warrant immediate remediation. However, after further research and re-reporting, Microsoft retroactively recognized the issue's importance and assigned a CVE identifier in 2025. The vulnerability allows an attacker to remotely exploit the way Windows processes .library-ms files to disclose NTLM hashes. NTLM (NT LAN Manager) hashes are used in Windows authentication protocols, and their disclosure can facilitate credential theft and subsequent lateral movement within networks. The exploit code is publicly available and written in Perl, indicating that attackers can automate the exploitation process. The attack is local in nature but can be triggered remotely, suggesting that an attacker with network access to a vulnerable system could leverage this flaw without requiring user interaction or prior authentication. The disclosure timeline shows a significant delay between initial reporting and recognition, highlighting the subtlety and complexity of the vulnerability. The exploit targets Windows systems that process .library-ms files, which are used by Windows to manage library folders. The flaw allows attackers to spoof or manipulate these files to extract NTLM hashes, potentially enabling credential replay or pass-the-hash attacks. Given the nature of NTLM hashes and their role in authentication, this vulnerability poses a risk to confidentiality and integrity of user credentials and can lead to broader compromise within affected environments.
Potential Impact
For European organizations, this vulnerability presents a significant risk, especially for enterprises heavily reliant on Windows infrastructure and legacy authentication protocols like NTLM. Disclosure of NTLM hashes can lead to credential theft, enabling attackers to impersonate legitimate users, escalate privileges, and move laterally across networks. This can result in unauthorized access to sensitive data, disruption of services, and potential data breaches. Sectors such as finance, government, healthcare, and critical infrastructure in Europe are particularly at risk due to their reliance on Windows environments and the high value of their data. Additionally, organizations with remote or hybrid work models may face increased exposure if network access controls are insufficient. The availability of exploit code in Perl lowers the barrier for attackers, increasing the likelihood of exploitation. Although the vulnerability requires local access, the possibility of remote triggering expands the attack surface. The medium severity rating may underestimate the potential cascading effects of credential compromise in complex enterprise networks. Therefore, European organizations must consider this vulnerability as a serious threat to their cybersecurity posture.
Mitigation Recommendations
1. Immediate application of any available Microsoft patches or updates addressing CVE-2025-24054 is critical. Even if no direct patch exists yet, monitor Microsoft’s security update guide closely for releases. 2. Implement network segmentation to limit access to systems processing .library-ms files, reducing the attack surface for remote exploitation. 3. Enforce strict network access controls and monitor for unusual access patterns to Windows file shares and library folders. 4. Disable or restrict the use of NTLM authentication where possible, migrating to more secure protocols such as Kerberos. 5. Employ multi-factor authentication (MFA) to reduce the impact of credential theft. 6. Conduct regular credential hygiene practices, including frequent password changes and use of strong, unique passwords. 7. Deploy endpoint detection and response (EDR) solutions to identify suspicious activities related to .library-ms file handling or NTLM hash extraction attempts. 8. Educate IT and security teams about the specific nature of this exploit and the risks associated with NTLM hash disclosure. 9. Use network intrusion detection systems (NIDS) with signatures or heuristics tuned to detect exploitation attempts leveraging this vulnerability. 10. Restrict the execution of unauthorized scripts or binaries, including Perl scripts, on critical systems to hinder exploit deployment. These measures, combined with vigilant monitoring and incident response readiness, will help mitigate the risk posed by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52280
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for Microsoft - NTLM Hash Disclosure Spoofing (library-ms)
# Exploit title: Microsoft - NTLM Hash Disclosure Spoofing (library-ms) # Exploit Author: John Page (aka hyp3rlinx) # x.com/hyp3rlinx # ISR: ApparitionSec Back in 2018, I reported a ".library-ms" File NTLM information disclosure vulnerability to MSRC and was told "it was not severe enough", that being said I post it anyways. Seven years passed, until other researchers re-reported it. Subsequently this security flaw was finally deemed important by Microsoft and it received CVE-2025-24054, for... (1394 more characters)
Threat ID: 68489e2b7e6d765d51d540b8
Added to database: 6/10/2025, 9:05:47 PM
Last enriched: 6/11/2025, 9:11:42 PM
Last updated: 8/14/2025, 4:29:14 AM
Views: 11
Related Threats
U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalCisco ISE 3.0 - Authorization Bypass
Mediumprojectworlds Online Admission System 1.0 - SQL Injection
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.