CVE-2025-24054 – This vulnerability in Windows NTLM allows an at... (How to Fix)

Q: What is the severity of CVE-2025-24054?

CVE-2025-24054 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Windows NTLM allows an attacker to manipulate file paths or names externally, enabling network spoofing attacks. It affects Windows systems using NTLM authentication, potentially allowing attackers to impersonate legitimate users or services.

📋 TL;DR

This vulnerability in Windows NTLM allows an attacker to manipulate file paths or names externally, enabling network spoofing attacks. It affects Windows systems using NTLM authentication, potentially allowing attackers to impersonate legitimate users or services.

💻 Affected Systems

Products:

Windows NTLM implementation

Versions: Specific Windows versions as per Microsoft advisory

Operating Systems: Windows Server, Windows Client versions

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with NTLM enabled and network services using NTLM authentication are vulnerable. Check Microsoft advisory for exact version details.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise through credential theft, lateral movement across the network, and privilege escalation to domain administrator.

🟠

Likely Case

Unauthorized access to network resources, data exfiltration, and credential harvesting from vulnerable systems.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place.

🌐 Internet-Facing: MEDIUM - While NTLM is primarily internal, exposed services using NTLM could be vulnerable to external attackers.

🏢 Internal Only: HIGH - Most exploitation would occur within internal networks where NTLM is commonly used.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit code is publicly available, making exploitation more accessible to attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Disable NTLM authentication

windows

Replace NTLM with Kerberos authentication where possible

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM

Network segmentation

all

Isolate systems using NTLM from critical network segments

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Enable enhanced logging and monitoring for NTLM authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level against Microsoft advisory. Review NTLM usage in environment.

Check Version:

wmic os get caption,version,buildnumber

Verify Fix Applied:

Verify Windows Update history contains the relevant security patch. Check that NTLM-related security settings are properly configured.

📡 Detection & Monitoring

Log Indicators:

Unusual NTLM authentication patterns
Failed NTLM authentication attempts from unexpected sources
Multiple NTLM requests from single source

Network Indicators:

Unusual NTLM traffic patterns
NTLM authentication attempts to unexpected services
Spoofed NTLM negotiation packets

SIEM Query:

source="windows-security" EventCode=4625 AuthenticationPackage=NTLM | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-24054

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-73

Published: March 11, 2025

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 Vendor Advisory
http://seclists.org/fulldisclosure/2025/Apr/28 Mailing List
https://www.exploit-db.com/exploits/52478 Exploit,Third Party Advisory,VDB Entry
https://www.vicarius.io/vsociety/posts/cve-2025-24054-spoofing-vulnerability-in-windows-ntlm-by-microsoft-detection-script Exploit,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24054-spoofing-vulnerability-in-windows-ntlm-by-microsoft-mitigation-script Mitigation,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24054 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24054, you might also want to check these: