Threat actors exploiting vulnerability Microsoft plugged in March

IT managers who are slow to install application patches often pay a price in data theft, data destruction and ransomware.

I give this reminder because of a report issued last week by Check Point Software that a hole in Windows which Microsoft warned about on March 11 is being actively exploited.

Around March 20th a campaign targeted government and private institutions in Poland and Romania, says the report, with attackers using email spam that included a Dropbox link containing an archive that exploited multiple known vulnerabilities. One was CVE-2025-24054, which can be used to harvest NTLMv2-SSP hashes.

For those who don’t know, hashes are scrambled passwords. NTLM (New Technology LAN Manager) is a suite of authentication protocols that verifies user identities when logging in. Briefly, NTLMv2 has a way of protecting against hackers unscrambling those hashes. However, the vulnerability allows a hacker to capture the reponses NTMLv2 issues when testing the authenticity of a login. Then the threat actor could try a brute force attack to unscramble the hash.

How easy is it to exploit this vulnerability? The report says Microsoft’s patch documentation indicates it could be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file created by the malware that the user installed by clicking on the emailed link.

One of the fixes issued by Microsoft on March 11th during that month’s Patch Tuesday rollout was to plug this hole.

Eight days after the Microsoft security patch, Check Point Research discovered the first campaign utilizing CVE-2025-24054, the report says. “Until March 25, we have observed approximately another 10 campaigns with the end goal of retrieving NTLMV2-SSp hashes from the targeted victims.” The Windows SMB servers collecting those stolen hashes were hosted in Russia, Bulgaria, the Netherlands, Australia and Turkey. Then on March 25th, Check Point Research discovered a campaign targeting companies around the world.

Defenders should note that sometimes the malicious files are distributed in a zipped folder, but sometimes they aren’t zipped.

The rapid exploitation of this vulnerability “highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments,” says the report. “The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks. With the ongoing evolution of these attack vectors, staying ahead of the threat requires a proactive approach to both patch management and network security, as attackers continually adapt to find new ways to exploit weaknesses.”