Wednesday, May 7, 2025
HomeCVE/vulnerabilityCISA Warns of Active Exploitation of Windows NTLM Vulnerability

CISA Warns of Active Exploitation of Windows NTLM Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.

The flaw affects Windows’ NTLM authentication protocol, creating an opportunity for unauthorized attackers to infiltrate systems via a spoofing vulnerability.

Overview of the Vulnerability

CVE-2025-24054, officially designated as a “Windows NTLM Hash Disclosure Spoofing Vulnerability,” is categorized under CWE-73: External Control of File Name or Path.

- Advertisement - Google News

This vulnerability allows threat actors to externally control the file name or path used by Windows NTLM, potentially causing the inadvertent disclosure of hashed credentials over a network connection.

According to Microsoft’s advisory, an attacker—positioned on the same network as the victim—could exploit this vulnerability to perform credential spoofing.

By controlling the target’s file name or path, malicious actors may gain unauthorized access to sensitive systems or escalate privileges, all without the need for prior authorization.

CISA’s alert is significant: it indicates the vulnerability is not just theoretical, but is being actively exploited in the wild.

While there is currently no public evidence linking the flaw to existing ransomware campaigns, CISA notes that the attack vector is of particular concern due to the critical nature of credential-based attacks in modern cybercrimes.

“Active exploitation of this vulnerability poses a severe risk to both government and private sector organizations,” CISA wrote in its bulletin.

“Immediate action is required to prevent potential data breaches and lateral movement within affected networks.”

CISA urges organizations to follow Microsoft’s published mitigation guidance without delay. Recommended steps include:

  • Apply the latest patches and security updates provided by Microsoft for all affected Windows systems.
  • Review and adhere to applicable guidance under BOD 22-01, particularly for cloud service environments.
  • Discontinue the use of vulnerable products if no mitigations or updates are available.

The agency also recommends routine monitoring for unusual credential activity and implementing network segmentation to limit the impact of potential breaches.

Affected federal agencies and contractors have been given a due date of May 8, 2025, to confirm remediation of the vulnerability. Non-compliance may result in increased exposure to credential theft and subsequent intrusions.

While Microsoft investigates the full extent of the CVE-2025-24054 exploit, security professionals are urged to remain vigilant. CISA is expected to provide further updates as new threat intelligence emerges.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...