CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2025-24054

Critical Severity
Microsoft
SVRS
70/100
CVSSv3
5.4/10
EPSS
0.20729/1

CVE-2025-24054 allows for spoofing on Windows systems via external control of file names in NTLM. This vulnerability enables unauthorized attackers to manipulate file paths, potentially leading to the execution of malicious code or disclosure of sensitive information. With an SVRS of 70, CVE-2025-24054 indicates a significant, though not critical, risk. The lower SVRS score suggests that while it's serious, it might not demand immediate action, but monitoring is crucial. This is because active exploits have been observed, making it actively dangerous. Exploitation could result in a loss of confidentiality, integrity, and availability of affected systems. Because this vulnerability is also tagged with "CISA KEV" patching should be prioritized. Given its presence "In The Wild" means your organization could be a target.

TAGS
Vendor-advisory
In The Wild
CISA KEV
Exploit Available
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:R
S:U
C:L
I:L
A:N
PUBLICATION DATE2025-03-11
LAST MODIFIED2025-04-18

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2025-240542025-04-17
xigney/CVE-2025-24054_PoChttps://github.com/xigney/CVE-2025-24054_PoC2025-04-18
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Windows NTLM-Hash-Leak is actively exploited for attacks - Research Snipers
2025-04-21
Windows NTLM-Hash-Leak is actively exploited for attacks - Research Snipers | News Content: Windows security gap is actively exploited by cybercriminals: even easy download or navigating to prepared .Library-MS files can be enough to steal NTLM password-hashes. The US authority CISA classifies the danger as so serious that it has issued a duty to remedy. Password-hashes theft enables security gap A security hole in Windows recently resolved by Microsoft, known as CVE-2025-24054 is currently being actively exploited by cybercriminals. This weak point affects all common Windows versions and enables stealing NTLM password-hashes with a
google.com
rss
forum
news
⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More - The Hacker News
2025-04-21
⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More - The Hacker News | News Content: Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that's exactly what we saw in last week's activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature, or reused login tokens. These aren't just tech issues — they're habits being exploited. Let
google.com
rss
forum
news
21st April – Threat Intelligence Report - Check Point Software
2025-04-21
21st April – Threat Intelligence Report - Check Point Software | News Content: For the latest discoveries in cyber research for the week of 21st April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems. The attack, claimed by ransomware group INC Ransom, impacted Ahold Delhaize USA brands and services including e-commerce operations and pharmacies. Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC) Car rental giant Hertz has been a victim of a cyber-attack which resulted in
google.com
rss
forum
news
Cyber Security News Letter: Key Updates on Attacks, Vulnerabilities, & Data Breaches - CybersecurityNews
2025-04-21
Cyber Security News Letter: Key Updates on Attacks, Vulnerabilities, & Data Breaches - CybersecurityNews | News Content: Home Cyber Security Cyber Security News Letter: Key Updates on Attacks, Vulnerabilities, & Data Breaches Cyber Security Cyber Security News Cyber Security News Letter: Key Updates on Attacks, Vulnerabilities, & Data Breaches By Guru Baran - Welcome to this week’s Cybersecurity Newsletter, where we provide the latest updates and critical insights from the swiftly changing realm of cybersecurity.This edition focuses on new threats and the evolving landscape of digital defenses. Key topics include sophisticated ransomware attacks and the growing impact of state-sponsored cyber operations on global security
cve-2021-20035
cve-2025-30100
cve-2025-24076
cve-2025-20236
Week in review: LLM package hallucinations harm supply chains, Nagios Log Server flaws fixed - Help Net Security
2025-04-20
Week in review: LLM package hallucinations harm supply chains, Nagios Log Server flaws fixed - Help Net Security | News Content: Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) Apple has released emergency security updates for iOS/iPadOS, macOS, tvOS and visionOS that fix two zero-day vulnerabilities (CVE-2025-31200, CVE-2025-31201) that have been exploited “in an extremely sophisticated attack against specific targeted individuals on iOS.” When companies merge, so do their cyber threats For
google.com
rss
forum
news
Security Affairs newsletter Round 520 by Pierluigi Paganini – INTERNATIONAL EDITION
Pierluigi Paganini2025-04-20
Security Affairs newsletter Round 520 by Pierluigi Paganini – INTERNATIONAL EDITION | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Attackers exploited SonicWall SMA appliances since January 2025 ASUS routers with AiCloud vulnerable to auth bypass exploit U.S. […] A new round of the weekly SecurityAffairs newsletter arrived
securityaffairs.co
rss
forum
news
Attacks involving old SonicWall SMA100 vulnerability underway - SC Media
2025-04-18
Attacks involving old SonicWall SMA100 vulnerability underway - SC Media | News Content: April 18, 2025 Active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw, tracked as CVE-2021-20035, has been disclosed by SonicWall upon notification from one of its partners, Cybersecurity Dive reports. Investigation into the nature and extent of attacks leveraging the vulnerability, which could result in arbitrary code execution, is still underway, according to a SonicWall spokesperson. "While the vulnerability affects SMA100 devices running older firmware, we continue to urge customers to follow the mitigation steps
google.com
rss
forum
news

Social Media

CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download https://t.co/DwMVKSgzUB
0
0
0
This is all too common... a classic misalignment between vendor and in-the-wild reality. Microsoft rated CVE-2025-24054 as low exploitability. Threat actors weaponized it in just 8 days, now it's being used against governments and corporations. https://t.co/glHweZUFyF
0
0
0
🚨 Threat Alert: Windows NTLM Hash Disclosure Exploitation (CVE-2025-24054) 📅 Date: 2025-04-17 📆 Timeline: Active since March 19, 2025; multiple identified attack campaigns until March 25, 2025. 📍 Location: Poland, Romania 📌 Attribution: Attributed to threat actors linked
0
0
0
💻 When Microsoft deemed a bug 'low risk,' hackers treated it like a clearance sale! CVE-2025-24054 turned into a global shopping spree for cybercriminals. Who knew Patch Tuesday could lead to worldwide mayhem? #WindowsForum #CyberSecurity #PatchTuesday https://t.co/x12eQacgtv
0
0
0
@CheckPointSW found active exploits in the wild targeting a @Microsoft flaw designated as CVE-2025-24054. Administrators were advised to test and install Microsoft’s March security fixes to prevent exploitation. #cybersecurity #infosec #ITsecurity https://t.co/uuspDtpWKG
0
0
1
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-24054 #Microsoft #Windows NTLM Hash Disclosure Spoofing Vulnerability https://t.co/ZiNAYXy7uW
0
0
0
Hopefully you've patched CVE-2025-24054. Whilst on the topic, as far as NTLM disclosure is concerned for REMOTE attackers, block SMB on egress (if someone's already inside then you've got bigger problems). Kinda shouldn't need to be said in 2025 but kinda needs to be said 🤷‍♂️
0
0
1
CVE-2025-24054 is now under active attack. Threat actors are using malicious .library-ms files to steal NTLM hashes with minimal user interaction — sometimes just by downloading a file. Legacy protocols = easy targets. Patch now. #CyberSecurity #CVE202524054 https://t.co/VNSIVA4NO8
1
0
1
CVE-2025-24054 was patched in Microsoft’s March 11 update, but just over a week later, threat actors began exploiting this NTLM Hash Disclosure Spoofing vulnerability in the wild. Stay patched. https://t.co/3ZEowvDWRh
0
0
0
#AlertaSeguridad #AlertaInformática Alerta en Windows: vulnerabilidad NTLM (CVE-2025-24054) explotada para robo de hashes https://t.co/rHguvmkfqc
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSMicrosoftwindows_server_2008
OSMicrosoftwindows_server_2012

References

ReferenceLink
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
NTLM HASH DISCLOSURE SPOOFING VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054

CWE Details

CWE IDCWE NameDescription
CWE-73External Control of File Name or PathThe software allows user input to control or influence paths or file names that are used in filesystem operations.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence