SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24996

CVE-2025-24996: Windows 10 1507 Path Traversal Flaw

CVE-2025-24996 is a path traversal vulnerability in Windows 10 1507 NTLM that enables unauthorized attackers to perform spoofing attacks over a network. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-24996 Overview

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Critical Impact

This vulnerability poses a risk of spoofing attacks over a network, potentially leading to credential theft or unauthorized access.

Affected Products

  • Microsoft Windows 10 1507
  • Microsoft Windows 10 1607
  • Microsoft Windows 10 1809

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Microsoft
  • Not Available - CVE CVE-2025-24996 assigned
  • Not Available - Microsoft releases security patch
  • 2025-03-11 - CVE CVE-2025-24996 published to NVD
  • 2025-07-03 - Last updated in NVD database

Technical Details for CVE-2025-24996

Vulnerability Analysis

This vulnerability arises from improper control of file paths or names within the Windows NTLM authentication protocol. An attacker could exploit this flaw by crafting a malicious request that manipulates file paths, leading to spoofing attacks.

Root Cause

The root cause is related to inadequate validation of user input in file paths within the NTLM authentication process, allowing external manipulation.

Attack Vector

Network-based exploitation by sending crafted NTLM authentication requests to the vulnerable system.

powershell
# Example exploitation code (sanitized)
Invoke-WebRequest -Uri "http://vulnerable-system/path?file=\malicious\payload" -UseBasicParsing

Detection Methods for CVE-2025-24996

Indicators of Compromise

  • Unusual file path requests in NTLM authentication logs.
  • Unexpected authentication errors.
  • Anomalous network traffic related to NTLM.

Detection Strategies

Leverage network monitoring tools to detect suspicious file path manipulation. Employ intrusion detection systems (IDS) that can recognize anomalous NTLM requests.

Monitoring Recommendations

Regularly inspect authentication logs for unusual file manipulations and monitor network traffic for signs of spoofing activities.

How to Mitigate CVE-2025-24996

Immediate Actions Required

  • Disable NTLM where not necessary.
  • Enforce strict input validation for file paths.
  • Monitor network traffic for suspicious patterns.

Patch Information

Refer to the Vendor Advisory for patch details and updates from Microsoft.

Workarounds

Implement network-level restrictions to limit exposure and use application whitelisting to prevent unauthorized access.

bash
# Configuration example
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMFobHidden" -Value 1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne