CISA Warns of Active Exploitation of Windows NTLM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.

The flaw affects Windows’ NTLM authentication protocol, creating an opportunity for unauthorized attackers to infiltrate systems via a spoofing vulnerability.

Overview of the Vulnerability

CVE-2025-24054, officially designated as a “Windows NTLM Hash Disclosure Spoofing Vulnerability,” is categorized under CWE-73: External Control of File Name or Path.

This vulnerability allows threat actors to externally control the file name or path used by Windows NTLM, potentially causing the inadvertent disclosure of hashed credentials over a network connection.

According to Microsoft’s advisory, an attacker—positioned on the same network as the victim—could exploit this vulnerability to perform credential spoofing.

By controlling the target’s file name or path, malicious actors may gain unauthorized access to sensitive systems or escalate privileges, all without the need for prior authorization.

CISA’s alert is significant: it indicates the vulnerability is not just theoretical, but is being actively exploited in the wild.

While there is currently no public evidence linking the flaw to existing ransomware campaigns, CISA notes that the attack vector is of particular concern due to the critical nature of credential-based attacks in modern cybercrimes.

“Active exploitation of this vulnerability poses a severe risk to both government and private sector organizations,” CISA wrote in its bulletin.

“Immediate action is required to prevent potential data breaches and lateral movement within affected networks.”

CISA urges organizations to follow Microsoft’s published mitigation guidance without delay. Recommended steps include:

• Apply the latest patches and security updates provided by Microsoft for all affected Windows systems.
• Review and adhere to applicable guidance under BOD 22-01, particularly for cloud service environments.
• Discontinue the use of vulnerable products if no mitigations or updates are available.

The agency also recommends routine monitoring for unusual credential activity and implementing network segmentation to limit the impact of potential breaches.

Affected federal agencies and contractors have been given a due date of May 8, 2025, to confirm remediation of the vulnerability. Non-compliance may result in increased exposure to credential theft and subsequent intrusions.

While Microsoft investigates the full extent of the CVE-2025-24054 exploit, security professionals are urged to remain vigilant. CISA is expected to provide further updates as new threat intelligence emerges.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!