CVE-2025-24054 is a vulnerability categorized under CWE-73 (External Control of File Name or Path) found in Microsoft Windows 10 Version 1507 (build 10.0.10240.0). The issue arises from improper handling of file names or paths within the NTLM authentication protocol, which is still used in many enterprise environments for network authentication. An attacker without any privileges can exploit this vulnerability remotely over the network by manipulating the file path parameters involved in NTLM authentication exchanges. This manipulation can lead to spoofing attacks, where the attacker can masquerade as a legitimate entity or intercept sensitive information, thereby compromising confidentiality. The vulnerability requires user interaction, such as the victim initiating an authentication process, but does not require prior authentication or elevated privileges. The flaw does not affect system integrity or availability directly but can expose sensitive data or credentials. The CVSS v3.1 score of 6.5 reflects a medium severity, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but user interaction required (UI:R). The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity or availability. No public exploits have been reported yet, and no patches are currently linked, indicating a need for vigilance and proactive mitigation. The vulnerability was reserved in January 2025 and published in March 2025, with enrichment from CISA indicating recognized importance.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality, as attackers can potentially spoof network identities and intercept sensitive authentication data. Organizations still running Windows 10 Version 1507, particularly in legacy or industrial control environments, are vulnerable. The exploitation could lead to unauthorized access to network resources or data leakage, impacting sectors such as finance, government, healthcare, and critical infrastructure. Since NTLM is often used in backward compatibility scenarios or in mixed environments, enterprises relying on it may face increased risk. The requirement for user interaction limits automated widespread exploitation but targeted phishing or social engineering campaigns could trigger the vulnerability. The lack of impact on integrity and availability reduces the risk of system disruption but does not diminish the threat to sensitive information confidentiality. European GDPR regulations heighten the importance of protecting personal data, making confidentiality breaches particularly consequential. The absence of known exploits provides a window for mitigation before active attacks emerge.

1. Upgrade affected systems from Windows 10 Version 1507 to a supported and patched Windows version to eliminate the vulnerability. 2. Disable NTLM authentication where possible, or restrict its use via Group Policy to limit exposure, especially on critical systems. 3. Implement network segmentation and strict access controls to reduce the attack surface for NTLM-based attacks. 4. Employ multi-factor authentication (MFA) to reduce reliance on NTLM and strengthen authentication security. 5. Monitor network traffic for unusual NTLM authentication attempts or anomalies indicative of spoofing. 6. Educate users to recognize and avoid phishing or social engineering attempts that could trigger user interaction exploitation. 7. Apply principle of least privilege to reduce potential impact if credentials are compromised. 8. Use endpoint detection and response (EDR) tools to detect suspicious activities related to authentication processes. 9. Regularly review and update security policies to phase out legacy protocols like NTLM in favor of more secure alternatives such as Kerberos or certificate-based authentication.