CVE-2025-24054 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability

Exploit added

April 17, 2025

Action due

May 8, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054

Weakness Enumeration

CWE-ID	CWE Name
CWE-73	External Control of File Name or Path

Known Affected Software Configurations

cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1009::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.763::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1128::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1251::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1085::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1085::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1009::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.950::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1189::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.763::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.950::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.887::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.830::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.887::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1251::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1189::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1128::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.830::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1085::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.887::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.950::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1251::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1189::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1009::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.1128::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.763::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:10.0.25398.830::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2402::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2402::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2849::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2322::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2340::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2322::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2461::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2461::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2582::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2849::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2340::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2700::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2700::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2655::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2582::::standard::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2655::::datacenter::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2458::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2522::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2461::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2582::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2340::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2333::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.770::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.1903::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2322::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2402::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2849::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2655::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2700::::azure::x64:*
cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.7009::::::x64:
cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.7876::::::x64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5608::::::x64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5608::::::x86:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5608::::::arm64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2965::::::x86:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.3403::::::arm64:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.3403::::::x64:
cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.5039::::::x64:
cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.5039::::::arm64:
cpe:2.3:o:microsoft:windows_11_22h2:10.0.22621.5039::::::arm64:
cpe:2.3:o:microsoft:windows_server_2025:10.0.26100.3403::::::x64:
cpe:2.3:o:microsoft:windows_server_2025:10.0.26100.3107::::::x64:
cpe:2.3:o:microsoft:windows_11_22h2:10.0.22621.5039::::::x64:
cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.5608::::::x64:
cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.5608::::::x86:
cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.5608::::::arm64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5487::::::x86:
cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.6893::::::x86:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5487::::::arm64:
cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.6775::::::x64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5371::::::x86:
cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.6893::::::x64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5487::::::x64:
cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.7699::::::x64:
cpe:2.3:o:microsoft:windows_11_23h2:10.0.22621.4751::::::arm64:
cpe:2.3:o:microsoft:windows_10_1607:10.0.10240.20915::::::x86:
cpe:2.3:o:microsoft:windows_10_1607:10.0.10240.20915::::::x64:
cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.4890::::::arm64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5371::::::arm64:
cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.20890::::::x64:
cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.20890::::::x86:
cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.20915::::::x64:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.3194::::::arm64:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.3107::::::x64:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.2894::::::x64:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.2894::::::arm64:
cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.20915::::::x86:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.3194::::::x64:
cpe:2.3:o:microsoft:windows_11_24h2:10.0.26100.3107::::::arm64:
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.5371::::::x64:
cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.4751::::::x64:
cpe:2.3:o:microsoft:windows_11_23h2:10.0.22631.4890::::::x64:
cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.7785::::::x64:

Details

Source:
NVD

Published:
March 11, 2025

Updated:
April 18, 2025

Risk information

CVSS v3

Base score:
6.5

Severity:

MEDIUM

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v2

Not defined