This week, a Windows vulnerability under active exploitation to a phishing campaign, a major funding lapse for a key vulnerability database, and a new trojan exploiting a Windows zero-day.
A medium-severity vulnerability in Microsoft Windows, known as CVE-2025-24054, is actively being exploited. This security flaw enables attackers to capture NTLM hashes when users engage with a specifically crafted .library-ms file. Although Microsoft addressed this vulnerability with a patch in March 2025, recent intelligence reveals that malicious actors are still exploiting it in targeted attacks.
Attack Details:
The vulnerability can be triggered by minimal user interaction, such as single-clicking or right-clicking on a malicious .library-ms file. Exploitation leads to the disclosure of NTLM hashes, which can be used in pass-the-hash or relay attacks to gain unauthorised access to systems.
Potential Impact:
Unauthorised access to sensitive systems
Credential theft and lateral network movement
Recommendations:
Ensure all Windows systems are updated
Educate users about file interaction risks
Monitor authentication logs for unusual activity
Lucid, a sophisticated phishing-as-a-service (PhaaS) platform, has surfaced, posing a threat to 169 entities across 88 countries. This platform leverages smishing messages through iMessage and RCS (Rich Communication Services) to execute extensive phishing campaigns.
Attack Details:
Lucid functions through 129 active instances and over 1,000 registered domains, systematically deploying phishing messages aimed at extracting credit card details and other sensitive information.
Potential Impact:
Widespread identity and financial theft
Organisational credential compromise
Recommendations:
Deploy mobile security tools against smishing
Train staff to spot phishing messages
Patch mobile OS vulnerabilities
U.S. government funding for MITRE’s operation of the Common Vulnerabilities and Exposures (CVE) system officially expired. This raises serious concerns about the continuity of vulnerability tracking and disclosure.
Impact:
Potential delay in CVE assignment and publication
Disruption of coordinated vulnerability disclosures
Recommendations:
Monitor updates from MITRE and alternative CNAs
Prepare for delays in vulnerability database updates
Adapt vulnerability management workflows accordingly
Microsoft confirmed that the CLFS zero-day vulnerability (CVE-2025-29824) was actively exploited via a custom trojan named PipeMagic. This enabled attackers to gain SYSTEM-level access and deploy ransomware.
Attack Details:
The threat actor Storm-2460 used PipeMagic to exploit the vulnerability and deploy ransomware. Targets included organisations in the US, Venezuela, Spain, and Saudi Arabia, across IT, retail, and financial sectors.
Potential Impact:
SYSTEM-level privilege escalation
Ransomware deployment and operational disruption
Recommendations:
Patch all Windows systems immediately
Use EDR to detect and isolate malware
Train staff on phishing and social engineering
Sign up now to receive expert threat intelligence straight to your inbox and stay one step ahead.