Spoofing Vulnerability in Windows NTLM by Microsoft
CVE-2025-24054

5.4MEDIUM

Key Information:

Vendor: Microsoft
Status: Windows 10 Version 1809; Windows Server 2019; Windows Server 2019 (server Core Installation); Windows Server 2022
Vendor: CVE Published:; 11 March 2025

Badges

🔥 Trending now🥇 Trended No. 1📈 Trended📈 Score: 14,100💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 19%🦅 CISA Reported📰 News Worthy

What is CVE-2025-24054?

CVE-2025-24054 is a spoofing vulnerability in Windows NTLM, a protocol used for authentication in Microsoft systems. This vulnerability allows unauthorized attackers to manipulate file names or paths within an NTLM context, which can lead to unauthorized actions over a network. The potential risks associated with this flaw are significant, as organizations relying on NTLM for secure communications may inadvertently expose themselves to spoofing attacks, undermining the integrity and trustworthiness of their authentication mechanisms.

Technical Details

The vulnerability arises from external control over file names or paths utilized by the Windows NTLM protocol. If exploited, this flaw permits attackers to alter the expected file or path references, which can facilitate unauthorized access or actions by masquerading as legitimate users or processes. The vulnerability operates within the wider scope of network communications and could enable attackers to engage in various malicious activities, potentially compromising sensitive data.

Potential Impact of CVE-2025-24054

Unauthorized Access: Exploitation of this vulnerability could allow attackers to masquerade as legitimate users, leading to unauthorized access to sensitive resources within the network.
Data Integrity Compromise: Attackers could manipulate application behavior or data flow, potentially resulting in data alteration or loss, thus jeopardizing data integrity.
Network Security Breach: The presence of this vulnerability could serve as a foothold for more extensive network breaches, enabling attackers to escalate privileges or further infiltrate the organization’s systems.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Windows 10 Version 1507 32-bit Systems 10.0.10240.0 < 10.0.10240.20947

Windows 10 Version 1607 32-bit Systems 10.0.14393.0 < 10.0.14393.7876

Windows 10 Version 1809 32-bit Systems 10.0.17763.0 < 10.0.17763.7009

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-24054-PoC
Created by helidem

CVE-2025-24054_PoC
Created by xigney