CVE-2025-24054

Published Mar 11, 2025

Last updated 8 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-24054 is a vulnerability in Windows NTLM that involves external control of the file name or path, potentially allowing an unauthorized attacker to perform spoofing over a network. The vulnerability can be exploited using a maliciously crafted .library-ms file. Active exploitation of CVE-2025-24054 has been observed in the wild since March 19, 2025. Attackers can potentially leak NTLM hashes or user passwords, compromising systems. Exploitation can be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to a folder containing the malicious file.

Description
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
Source
secure@microsoft.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
5.4
Impact score
2.5
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
Exploit added on
Apr 17, 2025
Exploit action due
May 8, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

secure@microsoft.com
CWE-73

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

8

  1. Windows flaw CVE-2025-24054 actively exploited since March 19 to leak NTLM hashes via phishing attacks. Learn more: https://t.co/cz7ZuKOAmI #phishing #attacks #windows

    @thehlayer

    25 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Windows users: CVE-2025-24054 is being actively exploited! Just viewing a malicious file can leak your credentials—no clicks needed. Find out how to protect your network now before it’s too late! 🔒 #CyberSecurityAlert https://t.co/pSWhsNhS5H

    @cheinyeanlim

    25 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. We added the following vulnerabilities to our feed: - UNDISCLOSED: Microsoft Management Console - CVE-2025-24054: Windows File Explorer NTLM Leak - CVE-2025-24985: Windows FAT DoS - CVE-2023-36205: Zemana AntiMalware LPE - CVE-2021-21551: Dell Driver LPE https://t.co/iKW6swSCtZ

    @crowdfense

    24 Apr 2025

    2079 Impressions

    6 Retweets

    14 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  4. In this week’s episode of “The Weekly Purple Team,” we deep-dive into CVE-2025-24054, which can be exploited by unzipping or touching a library-ms file. Threat actors have actively used this exploit, which is pretty novel. Check it out! https://t.co/1LiKwM1LbR

    @BriPwn

    24 Apr 2025

    357 Impressions

    2 Retweets

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. Actively exploited CVE : CVE-2025-24054

    @transilienceai

    24 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. ALERTA DE SEGURIDAD CRÍTICA en Windows! Robo de Credenciales NTLM 'Zero-Click' CVE-2025-24054 Explicada: Esta falla permite la captura silenciosa de hashes NTLMv2 cuando un usuario simplemente descarga un archivo malicioso que referencia un recurso remoto. https://t.co/XOfQzYA2u

    @AlexCalvillo_SI

    22 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Actively exploited CVE : CVE-2025-24054

    @transilienceai

    22 Apr 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. 【悲報】マイクロソフトさんが「悪用の可能性は低い」とした脆弱性、開示から8日で悪用されてしまう。NTLMハッシュ漏洩の脆弱性CVE-2025-24054。Check Point社報告。Dropboxでホストされた悪性.library-ms入りZIPがフィッシングメールで使用された。 https://t.co/GLxRAOanbn

    @__kokumoto

    22 Apr 2025

    6528 Impressions

    55 Retweets

    127 Likes

    34 Bookmarks

    0 Replies

    2 Quotes

  9. 🛑 Windows : cet exploit NTLM est utilisé pour cibler entreprises et gouvernements 🔎 L'exploitation de la CVE-2025-24054 repose sur l'utilisation de fichiers .library-ms malveillants 👉 Plus d'infos : https://t.co/peTQcPvqp2 #phishing #windows #infosec https://t.co/peTQcPvqp2

    @ITConnect_fr

    22 Apr 2025

    92 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Microsoft’un NTLM Açığı (CVE-2025-24054)! Aktif Olarak İstismar Ediliyor https://t.co/yLKjqtOQxS https://t.co/VGJifHtmlU

    @cozumpark

    22 Apr 2025

    186 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. ⁦@Microsoft⁩ said initially a low vulnerability CVE-2025-24054 , #hackers see this as a major vulnerability; NTLM Hash spoofing https://t.co/ezJSGgQepx

    @PeterJopling

    22 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 2025 Bug Bounties! Hunt: CVE-2025-30406: Gladinet key CVE-2025-29824: Windows EoP CVE-2025-24054: NTLM theft CVE-2025-24813: Tomcat bug CVE-2025-32433: SSH RCE Burp, Amass. Big bounties! Get Bug Bounty Guide 2025! #BugBounty #VulnHunting2025 https://t.co/tin4q4LnYa

    @Viper_Droidd

    21 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-24054 #Microsoft #Windows NTLM Hash Disclosure Spoofing Vulnerability https://t.co/ZiNAYXy7uW

    @ScyScan

    21 Apr 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 #NTLM exploited, again. CVE-2025-24054 shows why @Microsoft is urging a move to #Kerberos. Visuality Systems offers secure, Kerberos-ready #SMBprotocol libraries to support your transition. https://t.co/UtkY1sAVaY

    @Visuality_NQ

    21 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Actively exploited CVE : CVE-2025-24054

    @transilienceai

    21 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. CVE-2025-24054 is now under active attack. Threat actors are using malicious .library-ms files to steal NTLM hashes with minimal user interaction — sometimes just by downloading a file. Legacy protocols = easy targets. Patch now. #CyberSecurity #CVE202524054 https://t.co/VNSIVA4N

    @Shift6Security

    21 Apr 2025

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  17. CVE-2025-24054 Under Active Attack: Stealing NTLM Credentials during File download #technewsy #technews #cybersecuritynews https://t.co/FcDwwWParT

    @RamananTechPro

    21 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. #AlertaSeguridad #AlertaInformática Alerta en Windows: vulnerabilidad NTLM (CVE-2025-24054) explotada para robo de hashes https://t.co/rHguvmkfqc

    @sinelo1968

    20 Apr 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. حملات فعال به CVE-2025-24054: سرقت هش‌های NTLM هنگام دانلود فایل #Cybersecurity #Cybersecurity_News #اخبار_امنیت_سایبری #CVE_2024_43451 #CVE_2025_24054 #مایکروسافت #Microsoft #NTLM https://t.co/dVnNpRDvrL

    @vulnerbyte

    20 Apr 2025

    62 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2025-24054 : Under Active Attack Steals NTLM Credentials on File Download https://t.co/F5D5gzwu5y

    @freedomhack101

    20 Apr 2025

    40 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Actively exploited CVE : CVE-2025-24054

    @transilienceai

    20 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Windows-Sicherheitslücke CVE-2025-24054 wird aktiv ausgenutzt. Schon das Herunterladen oder Navigieren zu präparierten .library-ms-Dateien kann NTLM-Passwort-Hashes stehlen. #Windows #Cybersecurity https://t.co/DM0xwV7aDv

    @WinFuture

    20 Apr 2025

    302 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Unmasking CVE-2025-24054: The Cyber Threat in Action! https://t.co/df8zuUGjel https://t.co/XFiUvTbV1a

    @wavasec

    20 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🚫أحدث أخبار الأمن السيبراني لهذا اليوم : تهديدات جديدة، تحديثات مهمة، وتقنيات متقدمة 1.ثغرة CVE-2025-24054تحت الهجوم النشط وكالة الأمن السيبراني الأمريكية تحذر من استغلال ثغرة جديدة في Windows تُستخدم لاستخراج بيانات NTLM عند تنزيل الملفات يجب تحديث الأنظمة المتأثرة على الفور

    @1CyberSBot

    20 Apr 2025

    497 Impressions

    0 Retweets

    6 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  25. CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download https://t.co/GduCOUdYaY

    @_iTs_sUb_

    20 Apr 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. Alerta en #Windows: #vulnerabilidad NTLM (CVE-2025-24054) explotada para robo de hashes https://t.co/L4ODgq5GdZ

    @ethhack

    20 Apr 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. #muddywater CVE-2025-24054 https://t.co/GlVDUbpdiV

    @blackorbird

    20 Apr 2025

    4385 Impressions

    12 Retweets

    40 Likes

    12 Bookmarks

    0 Replies

    0 Quotes

  28. CVE-2025-24054 is under active exploitation, allowing NTLMv2 hash theft via malicious .library-ms files. Minimal user interaction, like viewing the file, can trigger the exploit. https://t.co/qWisb6QSr5 #CyberSecurity #WindowsVulnerability #CVE202524054​Daily CyberSecurity+7

    @CybersecSntl

    19 Apr 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. CISA added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, assigned CVE-2025-24054 (CVSS score: 6.5). https://t.co/RHyPres5FV https://t.co/XH

    @riskigy

    19 Apr 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download https://t.co/RHVX6P0zi8

    @matrixcyberlabs

    19 Apr 2025

    33 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Actively exploited CVE : CVE-2025-24054

    @transilienceai

    19 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. Alerta en Windows: vulnerabilidad NTLM (CVE-2025-24054) explotada para robo de hashes https://t.co/tH2hEwTofh

    @unaaldia

    19 Apr 2025

    555 Impressions

    6 Retweets

    8 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  33. 🔐 CVE-2025-24054 Windows Vulnerability Under Active Attack – Protect Your NTLM Credentials Now! https://t.co/2qcbwBgRzb https://t.co/7f7UfBBtS7

    @AsmaJiniya52642

    19 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. •CVE-2025-24054 is now under active exploitation.• Attackers are leveraging malicious .library-ms files to capture NTLM hashes with minimal user interaction. CISA has listed it in the Known Exploited Vulnerabilities catalog. •Ensure your systems are patched immediately. https:

    @redfoxsec

    19 Apr 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Actively exploited CVE : CVE-2025-24054

    @transilienceai

    18 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. A Windows vulnerability, CVE-2025-24054, exposing NTLM hashes via .library-ms files, is being exploited in phishing attacks targeting government entities and private companies. https://t.co/jBy1cZVWUq

    @securityRSS

    18 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. CVE-2025-24054, an NTLM hash disclosure vulnerability in Windows, is under active attack. Organizations must patch promptly to prevent exploitation. #CyberSecurity #WindowsVulnerability #NTLM https://t.co/oXm6blTFMR

    @dailytechonx

    18 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-24054) #CVE202524054 #CyberSecurity #Microsoft #MicrosoftWindows #NTLM https://t.co/K8IJWPdSBC https://t.co/tMhTijquer

    @SystemTek_UK

    18 Apr 2025

    54 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  39. La #vulnerabilidad CVE-2025-24054 se encuentra bajo ataque activo, permitiendo el robo de credenciales #NTLM a través de la descarga de archivos https://t.co/QrNo4N22og

    @Masterhacks_net

    18 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. New Windows NTLM vulnerability (CVE-2025-24054) exploited in attacks on government and private institutions. Apply March 2025 patches and enhance security measures. #CyberSecurity #WindowsVulnerability https://t.co/s3o2dJDawp

    @dailytechonx

    18 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 🚨 CVE-2025-24054 is now actively exploited — and it only takes a single click to leak your NTLM credentials. No file execution. Just previewing a .library-ms file is enough. 👇 https://t.co/dDvqJZo5Av

    @efani

    18 Apr 2025

    259 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. 🚨 CVE-2025-24054: A critical NTLM spoofing flaw in Windows is being actively exploited. No auth needed — attackers just need to be on the same network. Patch now! Details 👇 🔗 https://t.co/Qgquws3qZz #CyberSecurity #CVE202524054 #Windows #InfoSec #CISA #PatchNow

    @threatsbank

    18 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Critical Windows Flaw Exploited to Steal NTLM Hashes Hackers are actively exploiting a patched Windows vulnerability (CVE-2025-24054) involving .library-ms files to steal user NTLM hashes. Update now! https://t.co/LkHGsw6NvG

    @the_yellow_fall

    18 Apr 2025

    1000 Impressions

    11 Retweets

    37 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  44. Vulnerabilidad NTLM de Windows explotada en ataques de phishing (CVE-2025-24054) https://t.co/0k1VE9gPeC

    @SeguInfo

    18 Apr 2025

    1343 Impressions

    6 Retweets

    15 Likes

    10 Bookmarks

    1 Reply

    1 Quote

  45. ⚠️ Windows NTLM Flaw Exploited in Gov’t Phishing Attacks CVE-2025-24054 leaks NTLM hashes via malicious .library-ms files—linked to APT28. Patch ASAP & watch auth logs! https://t.co/TgRKFzq29E #cybersecurity #Windows #APT28

    @dCypherIO

    18 Apr 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 🚨 Security Alert: CVE-2025-24054 in Microsoft Windows is under active attack, allowing NTLM credential theft with minimal user action. Immediate patching is advised! #WindowsSecurity #NTLM #USA link: https://t.co/ea9gvEi9bU https://t.co/Q5jz4A8sU4

    @TweetThreatNews

    18 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. CVE-2025-24054 e lo sfruttamento attivo di NTLM: vulnerabilità silenziose in Windows Sicurezza Informatica, .library-ms, attack 2025, CVE-2024-43451, CVE-2025-24054, disclosure, NTLM, NTLMv2, pass-the-hash, path vulnerability, PHISHING, SMB relay, spoofi… https://t.co/zgdhKuYCol

    @matricedigitale

    18 Apr 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 🗞️ Windows NTLM Hash Leak Vulnerability Exploited in Phishing Attacks Targeting Governments A Windows flaw (CVE-2025-24054) leaking NTLM hashes via .library-ms files is being exploited in phishing campaigns targeting governments in Poland and Romania. Patched in March 2025, htt

    @gossy_84

    18 Apr 2025

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. 🚨 CVE-2025-24054 added to CISA’s KEV list—actively exploited Windows flaw leaking NTLM hashes via file downloads. Patch ASAP! 🔐 Details: https://t.co/MYrNcf675C #CyberSecurity #CVE202524054 https://t.co/MYrNcf675C

    @SalvadorCloud

    18 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚨Windows NTLM Flaw (CVE-2025-24054) under attack! Hackers exploit it to steal credentials via phishing & malicious .library-ms files. Patched Mar 11, 2025, but campaigns hit globally since Mar 19. Patch NOW, restrict NTLM, & avoid unknown files! 🔒#Cybersecurity #Windows

    @SecurEpitome

    18 Apr 2025

    7 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations