🟡 CVE-2025-24054

CVE-2025-24054 is an NTLM hash disclosure spoofing vulnerability affecting Windows operating systems that allows attackers to perform spoofing attacks over a network. The vulnerability enables credential theft and man-in-the-middle attacks against NTLM authentication, particularly affecting Windows Server deployments that are commonly internet-facing.

← Back to Overview
MEDIUM_RISK
Risk Level
6.5
CVSS Score
NETWORK
Attack Vector
Credential Access
ATT&CK Tactic
T1557 — Adversary-in-the-Middle
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: MEDIUM

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-03-11

Added to CISA KEV: 2025-04-17 37 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-24054 is a critical security vulnerability involving the external control of file names or paths in Windows NTLM, which allows an unauthorized attacker to perform spoofing over a network [4].

Key Details
FeatureStatus/Description
Active ExploitationYes, observed in the wild starting around March 19, 2025 [1].
Attack MethodExploited by using a maliciously crafted `.library-ms` file, which, when extracted from a ZIP archive, triggers Windows Explorer to leak NTLMv2-SSP hashes [1].
RequirementsRequires user interaction (e.g., opening or extracting a malicious file) [1].
ImpactAllows attackers to leak NTLM hashes or user passwords, potentially leading to system compromise or network spoofing [1].
Ransomware/TargetedUsage in known ransomware campaigns is currently unknown [3].
Patch StatusPatched by Microsoft on March 11, 2025 [1].
Additional Context
  • Exploitation Timeline: Although Microsoft released a patch on March 11, 2025, threat actors had over a week to develop and deploy exploits before active abuse was observed in the wild [1].
  • CISA Status: The vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog, with a remediation due date of May 8, 2025 [3].
  • Mitigation: The primary recommendation is to apply the March 2025 Microsoft security updates. In environments where NTLM is not strictly required, disabling it is considered a broader security best practice to prevent NTLM relay and similar spoofing attacks [2].

Sources

  1. CVE-2025-24054, NTLM Exploit in the Wild - Check Point Research

    CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted ... CVE-2025-24054 Microsoft, on March 11, 2025, released a security patch protecting against a vulnerability in Windows Explorer that leaks NTLMV2-SSp when a malicious…

  2. NTLM Hash Disclosure Spoofing Vulnerability - CVE-2025-24054

    Install the March 2025 Microsoft patch that fixes the issue. This is the easiest. Disable NTLM everywhere on your network (that could take a lot ...

  3. KEV Entry: CVE-2025-24054

    Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources. ... CVE-2025-24054 ... Due date: 2025-05-08 | Known ransomware campaign use (KEV) : Unknown | Notes (KEV): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 ; https://nvd.nist.gov/vuln/detail/CVE-…

  4. CVE-2025-24054 Detail - NVD

    External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. ... CVE…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed