Cyber Posture

CVE-2025-24054

MediumCISA KEVActive ExploitationPublic PoC

Published: 11 March 2025

Published
11 March 2025
Modified
13 February 2026
KEV Added
17 April 2025
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0783 92.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24054 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked in the top 8.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Forced Authentication (T1187) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses CVE-2025-24054 by requiring timely patching of the vulnerable Windows NTLM component as specified in Microsoft's update guide.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of CWE-73 external control of file name or path by validating all inputs to the NTLM authentication process.

CM-6 Configuration Settings partial match
prevent

Mitigates risk by establishing secure configuration settings to restrict or disable NTLM usage where possible, reducing attack surface for spoofing.

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
attack.mitre.org →
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
Why these techniques?

The external control of file name/path in NTLM directly enables forced authentication to an attacker-controlled server (T1187) and facilitates adversary-in-the-middle spoofing for credential capture/relay (T1557).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

CVE-2025-24054 is a vulnerability involving external control of file name or path in Windows NTLM, enabling an unauthorized attacker to perform spoofing over a network. It affects the Windows NTLM authentication component and was published on 2025-03-11. The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and maps to CWE-73: External Control of File Name or Path.

An unauthorized attacker with network access can exploit this vulnerability by leveraging low-complexity techniques that require user interaction, such as clicking a malicious link or resource. Successful exploitation allows spoofing, resulting in high confidentiality impacts without affecting integrity or availability.

Microsoft's Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054, which details remediation steps including patches. Additional references include a full disclosure on SecLists (http://seclists.org/fulldisclosure/2025/Apr/28), proof-of-concept exploits on Exploit-DB (https://www.exploit-db.com/exploits/52478 and https://www.exploit-db.com/exploits/52480), and a detection script from Vicarius (https://www.vicarius.io/vsociety/posts/cve-2025-24054-spoofing-vulnerability-in-windows-ntlm-by-microsoft-detection-script).

Publicly available exploits indicate potential for real-world abuse, underscoring the need for prompt patching on affected Windows systems using NTLM.

Details

CWE(s)
CWE-73
KEV Date Added
17 April 2025

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20947 · ≤ 10.0.10240.20947
microsoft
windows 10 1607
≤ 10.0.14393.7876 · ≤ 10.0.14393.7876
microsoft
windows 10 1809
≤ 10.0.17763.7009 · ≤ 10.0.17763.7009
microsoft
windows 10 21h2
≤ 10.0.19044.5608 · ≤ 10.0.19044.5608 · ≤ 10.0.19044.5608
microsoft
windows 10 22h2
≤ 10.0.19045.5608 · ≤ 10.0.19045.5608 · ≤ 10.0.19045.5608
microsoft
windows 11 22h2
≤ 10.0.22621.5039 · ≤ 10.0.22621.5039
microsoft
windows 11 23h2
≤ 10.0.22631.5039 · ≤ 10.0.22631.5039
microsoft
windows 11 24h2
≤ 10.0.26100.3403 · ≤ 10.0.26100.3403
microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-26633Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24991Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24990Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24984Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-21418Same product: Microsoft Windows 10 1607both on KEV
CVE-2025-21391Same product: Microsoft Windows 10 1507both on KEV
CVE-2026-20931Same product: Microsoft Windows 10 1607

References