External risk intelligence

Windows NTLM Network Spoofing Vulnerability

CVE advisoryKnown Exploit

CVE-2025-24054

A network spoofing vulnerability in Windows NTLM allows unauthorized attackers to manipulate file names or paths. This could lead to unauthorized actions and potential data breaches within affected organizations. The business risk is associated with the potential for attackers to impersonate legitimate users over a net

2Halo Surface Signal

Microsoft Windows 10 1507

before 10.0.10240.20947before 10.0.14393.7876before 10.0.17763.7009before 10.0.19044.5608before 10.0.19045.5608before 10.0.22621.5039before 10.0.22631.5039before 10.0.26100.3403r2;...

External exposure likelihood

Halo Surface Signal score for CVE-2025-24054

The vulnerability affects Windows NTLM, an internal authentication protocol. While technically network-reachable, NTLM is typically used within internal network boundaries or protected enterprise environments. Direct exposure of NTLM to the public internet is non-standard and generally discouraged by security best practices.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within the NTLM authentication protocol in Windows systems. This flaw allows an unauthorized attacker to perform spoofing over a network by external control of file names or paths. The issue stems from improper validation of file paths within the NTLM service, enabling manipulation of file paths. This can lead to unauthorized command execution and data breaches.

  • Vulnerable component: Windows NTLM
  • Core weakness: External control of file name or path
  • Main business impact: Spoofing and data breaches

Attack Path

How an attacker could exploit the issue

The vulnerability allows an attacker to perform spoofing over a network by controlling file names or paths. This could lead to unauthorized actions or misrepresentation within the affected Windows systems. Organizations with exposed NTLM services face potential risks from this type of attack.

  • Network exposure required.
  • Attacker gains unauthorized access.
  • Triggering action results in control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability involves external control of a file name or path within Windows NTLM, enabling an unauthorized attacker to conduct spoofing over a network. The exploitation requires a user to interact with a malicious program or link. This could lead to unauthorized access or modification of data, posing a significant business risk.

  • Attackers with any skill level.
  • Requires network access and user interaction.
  • Business risk is medium.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Windows NTLM allows an attacker to impersonate a user over a network by manipulating file names or paths. Organizations should prioritize identifying all systems running affected Windows versions. Implementing network segmentation and access controls can reduce the potential attack surface. After applying the vendor's security updates, it is essential to validate that the fix has been successfully deployed and to monitor systems for any signs of compromise.

  • Find affected Windows assets.
  • Restrict network access.
  • Apply vendor fix and validate.
  • Monitor for related activity.

Frequently asked questions

What is the primary function of Windows NTLM that is affected by CVE-2025-24054?

CVE-2025-24054 affects the Windows NTLM authentication protocol. NTLM is used for network authentication, allowing users and computers to prove their identity to resources over a network. This vulnerability exploits how NTLM handles file names or paths, potentially allowing an attacker to impersonate a legitimate user or system.

How does the external control of file name or path weakness enable spoofing in Windows NTLM?

The CWE-73 weakness, 'External control of file name or path,' in Windows NTLM allows an attacker to manipulate file paths that the system uses. By controlling these paths, an attacker can trick the NTLM process into interacting with malicious files or locations, leading to spoofing where the attacker can impersonate a legitimate user or service on the network.

What is the trigger path for this NTLM spoofing vulnerability?

The trigger path for this vulnerability involves an attacker controlling file names or paths that are processed by the Windows NTLM service. Exploitation typically requires network access and user interaction with a malicious program or link, which then leverages the flawed file path handling to achieve spoofing.

What is the significance of CVE-2025-24054 being listed on the Known Exploited Vulnerabilities (KEV) catalog?

CVE-2025-24054's inclusion on the CISA KEV catalog signifies that it is actively exploited by malicious actors in the wild. This means there is a demonstrated threat, and organizations are urged to apply mitigations promptly to protect against active attacks targeting this Windows NTLM spoofing vulnerability.

What are the recommended practical steps to mitigate the Windows NTLM spoofing vulnerability?

To mitigate this vulnerability, organizations should first identify all affected Windows systems. Implementing network segmentation and restricting network access to NTLM services can reduce the attack surface. Crucially, applying the security updates provided by Microsoft is essential. After applying patches, validating their successful deployment and continuously monitoring systems for suspicious activity is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified