CVE-2025-24054 is a vulnerability identified in Microsoft Windows 10 Version 1809 (build 10.0.17763.0) related to CWE-73: External Control of File Name or Path. This vulnerability arises from improper handling of file names or paths controlled externally within the Windows NTLM (NT LAN Manager) authentication protocol. Specifically, an attacker who can interact with the system over a network can manipulate file path inputs to perform spoofing attacks. Spoofing in this context means the attacker can deceive the system or users by masquerading as a legitimate entity, potentially redirecting or intercepting authentication processes or network communications. The vulnerability does not require any privileges (PR:N) but does require user interaction (UI:R), such as a user initiating a connection or authentication attempt. The attack vector is network-based (AV:N), meaning exploitation can occur remotely without physical access. The vulnerability impacts confidentiality (C:H) but not integrity or availability, indicating that sensitive information could be exposed or intercepted without altering data or disrupting service. The CVSS 3.1 base score is 6.5, categorized as medium severity, reflecting moderate risk. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability's presence in an older Windows 10 version (1809) suggests that systems still running this build are at risk, especially in environments where NTLM authentication is used extensively. The external control of file paths could allow attackers to redirect authentication attempts or capture credentials, facilitating further network intrusion or lateral movement within an enterprise environment.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality, as attackers could exploit it to intercept or spoof NTLM authentication traffic. Many enterprises in Europe still run legacy Windows 10 systems, including version 1809, especially in industrial, governmental, or critical infrastructure sectors where system upgrades are slower due to compatibility or regulatory reasons. Exploitation could lead to unauthorized access to sensitive data, credential theft, or network reconnaissance, which in turn could facilitate more severe attacks such as privilege escalation or data breaches. The impact is heightened in sectors relying on NTLM authentication due to legacy application dependencies. Confidentiality breaches could violate GDPR requirements, leading to regulatory penalties and reputational damage. However, the lack of integrity or availability impact and the requirement for user interaction somewhat limit the threat's immediacy. Still, targeted spear-phishing or social engineering campaigns could trigger exploitation, making it a concern for organizations with high-value assets or sensitive information.

European organizations should prioritize identifying and inventorying systems running Windows 10 Version 1809, especially those utilizing NTLM authentication. Immediate mitigation steps include: 1) Applying any forthcoming security updates from Microsoft as soon as they become available. 2) Where patching is delayed, consider disabling or restricting NTLM authentication in favor of more secure protocols like Kerberos, particularly on sensitive network segments. 3) Implement network segmentation and strict access controls to limit exposure of vulnerable systems to untrusted networks. 4) Employ monitoring and anomaly detection for unusual NTLM authentication patterns or network spoofing attempts. 5) Educate users about the risks of interacting with untrusted network resources and encourage caution with unsolicited authentication prompts. 6) Use endpoint protection solutions capable of detecting exploitation attempts related to path manipulation or spoofing. 7) Review and harden Group Policy settings related to authentication and network access to reduce attack surface. These targeted actions go beyond generic advice by focusing on legacy system identification, NTLM protocol hardening, and user interaction risk reduction.