CVE-2025-24054 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The flaw resides in the handling of file paths within the NTLM authentication protocol, which is widely used for network authentication in Windows environments. An attacker without any privileges and no prior authentication can exploit this vulnerability remotely over the network by manipulating external input that controls file names or paths. This manipulation enables spoofing attacks, potentially allowing the attacker to impersonate legitimate users or services. The vulnerability impacts confidentiality by potentially exposing sensitive information during authentication or session establishment but does not affect integrity or availability of the system. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity or availability. No known exploits have been reported in the wild, and no patches have been linked at the time of publication. The vulnerability was reserved in January 2025 and published in March 2025. Given NTLM's legacy status but continued presence in many enterprise environments, this vulnerability remains relevant for organizations that have not fully transitioned to more secure authentication protocols like Kerberos or modern identity solutions.

For European organizations, the vulnerability poses a risk primarily to confidentiality, as attackers could spoof identities over the network and potentially intercept or redirect sensitive authentication data. This could lead to unauthorized access to internal resources, lateral movement, or data leakage. Organizations relying on Windows 10 Version 1809 in critical sectors such as government, finance, healthcare, and energy may face increased risk due to the sensitive nature of their data and the potential for targeted attacks. The requirement for user interaction slightly reduces the risk but does not eliminate it, especially in environments with high user activity or where social engineering is feasible. The lack of known exploits in the wild suggests a window of opportunity for defenders to implement mitigations before active exploitation begins. However, the continued use of NTLM in many legacy systems across Europe means that the attack surface remains significant. The vulnerability could also undermine trust in network authentication mechanisms, complicating incident response and forensic investigations.

1. Disable or restrict NTLM authentication where possible, especially on critical systems and network segments, and prefer Kerberos or modern authentication protocols. 2. Apply network segmentation to isolate legacy systems running Windows 10 Version 1809 and limit exposure to untrusted networks. 3. Implement strict monitoring and logging of authentication attempts, focusing on anomalies that may indicate spoofing or manipulation of file paths. 4. Educate users about the risks of interacting with unsolicited network prompts or authentication requests to reduce the likelihood of successful user interaction exploitation. 5. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious NTLM activity or path manipulation attempts. 6. Regularly review and update group policies to enforce secure authentication practices and restrict external control of file paths. 7. Stay alert for official patches or updates from Microsoft and apply them promptly once available. 8. Conduct penetration testing and vulnerability assessments focusing on NTLM-related weaknesses to identify and remediate exposure.