Do Son 
PCAP NTLMv2-SSP Hash
Hackers have begun actively exploiting a newly discovered Windows vulnerability involving the processing of .library-ms files, which enables the remote harvesting of user NTLM hashes. The flaw, cataloged as CVE-2025-24054, was addressed in Microsoft’s March security update, but was initially considered unlikely to be exploited. Nevertheless, just days after the patch was released, researchers at Check Point observed real-world attacks targeting both government institutions and private enterprises.
NTLM—an outdated authentication protocol used in Microsoft systems—has long been recognized as insecure. Although it does not transmit passwords in plain text, intercepted hashes are vulnerable to brute-force or replay attacks. Due to these inherent risks, Microsoft has been gradually phasing out NTLM in favor of more robust alternatives such as Kerberos.
According to Check Point, attackers are distributing phishing emails containing Dropbox links that lead to ZIP archives. Inside these archives is a specially crafted .library-ms file—a legitimate Windows format used to display virtual libraries. However, in this case, the file is configured to initiate a connection to a remote SMB server controlled by the attackers.
As soon as the archive is extracted, Windows automatically engages with the file, initiating a connection to the remote server. During this interaction, the system begins authenticating via NTLM, inadvertently sending user hashes to the malicious server. Alarmingly, the vulnerability can be triggered by a mere interaction with the file—such as a single click or simply viewing its properties.
Subsequent incidents revealed an escalation in technique, with .library-ms files being sent as standalone attachments, eliminating the need for ZIP compression. In these cases, simply downloading the file—without even opening it—was enough to activate the exploit. This significantly increases the threat level, particularly for employees accustomed to casually reviewing email attachments.
Often, the archive also contains other components with extensions such as .url, .website, and .link, which leverage older NTLM hash-leak vulnerabilities. These appear to function as fallback mechanisms in case the primary exploit fails.
Of particular concern is the minimal user interaction required to trigger the attack. Despite the vulnerability being classified as medium severity, its real-world consequences may be far more serious—ranging from authentication bypass to compromise of privileged accounts.
Security experts strongly urge all organizations to immediately apply the March Patch Tuesday updates and disable NTLM authentication entirely wherever it is not required for technical compatibility.
