CVE-2025-24054 NTLM Credentials Stolen on File Download

-

There is a newly identified vulnerability in Microsoft Windows, designated as CVE-2025-24054, and it is currently being exploited in the wild. This flaw pertains to the NTLM (New Technology LAN Manager) authentication protocol and allows unauthorized attackers to perform spoofing attacks over a network by exploiting external control of file names or paths.​

Understanding CVE-2025-24054

CVE-2025-24054 is a spoofing vulnerability that arises from improper handling of file names or paths in Windows NTLM. An attacker can exploit this vulnerability by sending specially crafted network requests, potentially leading to the disclosure of sensitive information such as NTLM hashes. This could allow the attacker to impersonate legitimate users or services, leading to unauthorized access to network resources.​

The vulnerability has been assigned a CVSS v3.1 base score of 6.5, indicating a medium severity level. The attack vector is over the network, requires low attack complexity, and does not necessitate any privileges. However, user interaction is required for successful exploitation. The primary impact is on confidentiality, with no direct impact on integrity or availability. ​

Active Exploitation and Impact

Reports indicate that this vulnerability is under active exploitation. Attackers are leveraging this flaw to conduct spoofing attacks, potentially leading to unauthorized access and data breaches. Given the nature of NTLM and its widespread use in Windows environments, the impact of such exploitation can be significant, especially in enterprise networks where NTLM is commonly used for authentication.​

Mitigation and Recommendations

Microsoft has released security updates to address this vulnerability. Users and administrators are strongly advised to apply the latest patches provided by Microsoft to mitigate the risk associated with CVE-2025-24054. The updates are available for various versions of Windows, including Windows 10, Windows 11, and Windows Server editions. ​

In addition to applying patches, organizations should consider the following best practices:​

  1. Audit and Monitor: Regularly audit authentication logs and monitor for unusual activities that may indicate attempted exploitation.​
  2. Limit NTLM Usage: Where possible, reduce or eliminate the use of NTLM in favor of more secure authentication protocols like Kerberos.​
  3. User Education: Educate users about the risks of interacting with unsolicited network requests or prompts that may lead to credential disclosure.​

Conclusion

The active exploitation of CVE-2025-24054 underscores the importance of timely patch management and vigilance in monitoring network activities. Organizations should prioritize the application of security updates and review their authentication mechanisms to ensure they are not susceptible to such spoofing attacks.​


For detailed information and updates, refer to Microsoft's official security advisory.

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Splunk: Cybersecurity Dynamics Rapidly Changing

-
Image
  A survey of 1,520 cybersecurity and IT leaders published today found more than half (52%) reporting their organization suffered a data breach in the past two years, with 62% experiencing monthly unplanned downtime attributable to a cybersecurity incident. The survey, conducted by Enterprise Strategy Group (ESG) on behalf of Splunk , also found that, on average, it takes 2.4 months to discover bad actors on corporate networks. Over a third (39%) of the respondents said cybersecurity incidents have directly harmed their competitive position, with 31% also noting those incidents have reduced shareholder value. As a result, cybersecurity budgets are increasing, with 95% of respondents reporting their security budgets will increase over the next two years, with 56% describing those increases as significant. The survey also found 81% of respondents are working for organizations that are converging aspects of their security and IT operations. Respondents believe this conver...
Read more

vSphere DR and Migration Improvements

-
Image
  Since introducing the support for dedicated vSphere clouds as a replication destination, we have extended the list of available features with every new release. This one is no exception and brings several significant improvements: Recovery Plans to define the failover order of the replicated VMs the same way it is done for VMware Cloud Director clouds Bandwidth throttling to enforce traffic limits on a specific network interface of the Tunnel appliance Public API, which was missing before.  In VMware Cloud Director Availability 4.3.1, we enabled migrating templates from one catalog to another in the same or a remote VMware Cloud Director cloud. In 4.6, we enhanced that feature to check for template changes and perform an automated migration if a modification is detected. It can result in overwriting the existing template at the destination catalog or creating a newer version. Along with all mentioned, we have also improved product management and operability.  For clouds...
Read more