A vulnerability previously thought to be a low-priority was cast into the spotlight thanks to a newly revealed exploit in the wild.Administrators were advised to test and install Microsoft’s March security fixes to prevent exploitation of the flaw.Researchers with security vendor CheckPoint report finding active exploits in the wild targeting the Microsoft flaw designated as CVE-2025-24054.“Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems,” CheckPoint said.“Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.”The flaw is being exploited to perform attacks on targeted government and contractor companies in Poland and Romania at the moment, though the presence of an active exploit suggests other attacker will soon follow suit.CheckPoint noted that in the days after the first reports, a number of additional campaigns popped up targeting the vulnerability via spam emails.The flaw itself it based in the Microsoft New Technology Lan Manager (NTLM) protocol. An attacker could capture hashed passwords while in transit via a man-in-the-middle attack condition.Once in possession of the hashed passwords, it would be possible for the threat actor to use brute-force tactics to eventually decode the passwords. Decoding hashed passwords is not practical on a large-scale level, but for specific targets without an immediate deadline the process is possible and can be used to devastating consequences.Exploitation could eventually result in the loss of user credentials and, depending on the privileges of the account in question, a larger takeover of network systems.Such vulnerabilities are not generally considered a high priority as they rely on specific network settings and conditions in order to pose a real-world threat. In this case, however, there is a particular risk.CVE-2025-24054 poses a unique threat in that exploiting the flaw requires relatively little user interaction. Microsoft said that a threat actor can trigger the exploit chain with something as simple as “minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file.”“This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments,” the CheckPoint team noted.“The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks.”Fortunately, there is an easy solution for this specific attack. Installing the latest two monthly patches from Microsoft will seal off the vulnerability. Administrators now have one more reason to get up to date on their security updates.
