Cyber Posture

CVE-2025-24054

MediumCISA KEVActive ExploitationPublic PoC

Published: 11 March 2025

Published
11 March 2025
Modified
13 February 2026
KEV Added
17 April 2025
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0783 92.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

Security Summary

CVE-2025-24054 is a vulnerability involving external control of file name or path in Windows NTLM, enabling an unauthorized attacker to perform spoofing over a network. It affects the Windows NTLM authentication component and was published on 2025-03-11. The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and maps to CWE-73: External Control of File Name or Path.

An unauthorized attacker with network access can exploit this vulnerability by leveraging low-complexity techniques that require user interaction, such as clicking a malicious link or resource. Successful exploitation allows spoofing, resulting in high confidentiality impacts without affecting integrity or availability.

Microsoft's Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054, which details remediation steps including patches. Additional references include a full disclosure on SecLists (http://seclists.org/fulldisclosure/2025/Apr/28), proof-of-concept exploits on Exploit-DB (https://www.exploit-db.com/exploits/52478 and https://www.exploit-db.com/exploits/52480), and a detection script from Vicarius (https://www.vicarius.io/vsociety/posts/cve-2025-24054-spoofing-vulnerability-in-windows-ntlm-by-microsoft-detection-script).

Publicly available exploits indicate potential for real-world abuse, underscoring the need for prompt patching on affected Windows systems using NTLM.

Details

CWE(s)
CWE-73
KEV Date Added
17 April 2025

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20947 · ≤ 10.0.10240.20947
microsoft
windows 10 1607
≤ 10.0.14393.7876 · ≤ 10.0.14393.7876
microsoft
windows 10 1809
≤ 10.0.17763.7009 · ≤ 10.0.17763.7009
microsoft
windows 10 21h2
≤ 10.0.19044.5608 · ≤ 10.0.19044.5608 · ≤ 10.0.19044.5608
microsoft
windows 10 22h2
≤ 10.0.19045.5608 · ≤ 10.0.19045.5608 · ≤ 10.0.19045.5608
microsoft
windows 11 22h2
≤ 10.0.22621.5039 · ≤ 10.0.22621.5039
microsoft
windows 11 23h2
≤ 10.0.22631.5039 · ≤ 10.0.22631.5039
microsoft
windows 11 24h2
≤ 10.0.26100.3403 · ≤ 10.0.26100.3403
microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise Techniques

T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
attack.mitre.org →
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
Why these techniques?

The external control of file name/path in NTLM directly enables forced authentication to an attacker-controlled server (T1187) and facilitates adversary-in-the-middle spoofing for credential capture/relay (T1557).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References