22.04.25 Threat Report

This week, a Windows vulnerability under active exploitation to a phishing campaign, a major funding lapse for a key vulnerability database, and a new trojan exploiting a Windows zero-day.

1. Windows NTLM Vulnerability (CVE-2025-24054) Under Active Exploitation

A medium-severity vulnerability in Microsoft Windows, known as CVE-2025-24054, is actively being exploited. This security flaw enables attackers to capture NTLM hashes when users engage with a specifically crafted .library-ms file. Although Microsoft addressed this vulnerability with a patch in March 2025, recent intelligence reveals that malicious actors are still exploiting it in targeted attacks.

Attack Details:

The vulnerability can be triggered by minimal user interaction, such as single-clicking or right-clicking on a malicious .library-ms file. Exploitation leads to the disclosure of NTLM hashes, which can be used in pass-the-hash or relay attacks to gain unauthorised access to systems.

Potential Impact:

• Unauthorised access to sensitive systems

• Credential theft and lateral network movement

Recommendations:

• Ensure all Windows systems are updated

• Educate users about file interaction risks

• Monitor authentication logs for unusual activity

2. Lucid Phishing-as-a-Service Platform Targets Global Entities

Lucid, a sophisticated phishing-as-a-service (PhaaS) platform, has surfaced, posing a threat to 169 entities across 88 countries. This platform leverages smishing messages through iMessage and RCS (Rich Communication Services) to execute extensive phishing campaigns.

Attack Details:

Lucid functions through 129 active instances and over 1,000 registered domains, systematically deploying phishing messages aimed at extracting credit card details and other sensitive information.

Potential Impact:

• Widespread identity and financial theft

• Organisational credential compromise

Recommendations:

• Deploy mobile security tools against smishing

• Train staff to spot phishing messages

• Patch mobile OS vulnerabilities

3. U.S. Government Funding for MITRE's CVE Program Ends

U.S. government funding for MITRE’s operation of the Common Vulnerabilities and Exposures (CVE) system officially expired. This raises serious concerns about the continuity of vulnerability tracking and disclosure.

Impact:

• Potential delay in CVE assignment and publication

• Disruption of coordinated vulnerability disclosures

Recommendations:

• Monitor updates from MITRE and alternative CNAs

• Prepare for delays in vulnerability database updates

• Adapt vulnerability management workflows accordingly

4. PipeMagic Trojan Exploits Windows Zero-Day (CVE-2025-29824)

Microsoft confirmed that the CLFS zero-day vulnerability (CVE-2025-29824) was actively exploited via a custom trojan named PipeMagic. This enabled attackers to gain SYSTEM-level access and deploy ransomware.

Attack Details:

The threat actor Storm-2460 used PipeMagic to exploit the vulnerability and deploy ransomware. Targets included organisations in the US, Venezuela, Spain, and Saudi Arabia, across IT, retail, and financial sectors.

Potential Impact:

• SYSTEM-level privilege escalation

• Ransomware deployment and operational disruption

Recommendations:

• Patch all Windows systems immediately

• Use EDR to detect and isolate malware

• Train staff on phishing and social engineering

Sign up now to receive expert threat intelligence straight to your inbox and stay one step ahead.