Cyber Security News

CISA Warns of Active Exploitation of Windows NTLM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.

The flaw affects Windows’ NTLM authentication protocol, creating an opportunity for unauthorized attackers to infiltrate systems via a spoofing vulnerability.

Overview of the Vulnerability

CVE-2025-24054, officially designated as a “Windows NTLM Hash Disclosure Spoofing Vulnerability,” is categorized under CWE-73: External Control of File Name or Path.

This vulnerability allows threat actors to externally control the file name or path used by Windows NTLM, potentially causing the inadvertent disclosure of hashed credentials over a network connection.

According to Microsoft’s advisory, an attacker—positioned on the same network as the victim—could exploit this vulnerability to perform credential spoofing.

By controlling the target’s file name or path, malicious actors may gain unauthorized access to sensitive systems or escalate privileges, all without the need for prior authorization.

CISA’s alert is significant: it indicates the vulnerability is not just theoretical, but is being actively exploited in the wild.

While there is currently no public evidence linking the flaw to existing ransomware campaigns, CISA notes that the attack vector is of particular concern due to the critical nature of credential-based attacks in modern cybercrimes.

“Active exploitation of this vulnerability poses a severe risk to both government and private sector organizations,” CISA wrote in its bulletin.

“Immediate action is required to prevent potential data breaches and lateral movement within affected networks.”

CISA urges organizations to follow Microsoft’s published mitigation guidance without delay. Recommended steps include:

  • Apply the latest patches and security updates provided by Microsoft for all affected Windows systems.
  • Review and adhere to applicable guidance under BOD 22-01, particularly for cloud service environments.
  • Discontinue the use of vulnerable products if no mitigations or updates are available.

The agency also recommends routine monitoring for unusual credential activity and implementing network segmentation to limit the impact of potential breaches.

Affected federal agencies and contractors have been given a due date of May 8, 2025, to confirm remediation of the vulnerability. Non-compliance may result in increased exposure to credential theft and subsequent intrusions.

While Microsoft investigates the full extent of the CVE-2025-24054 exploit, security professionals are urged to remain vigilant. CISA is expected to provide further updates as new threat intelligence emerges.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in its…

1 hour ago

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…

2 hours ago

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

5 hours ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

5 hours ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

20 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

20 hours ago