Skip to main content

CVE-2025-24996: CWE-73: External Control of File Name or Path in Microsoft Windows 10 Version 1809

Medium
VulnerabilityCVE-2025-24996cvecve-2025-24996cwe-73
Published: Tue Mar 11 2025 (03/11/2025, 16:59:03 UTC)
Source: CVE
Vendor/Project: Microsoft
Product: Windows 10 Version 1809

Description

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

AI-Powered Analysis

AILast updated: 06/11/2025, 01:47:23 UTC

Technical Analysis

CVE-2025-24996 is a vulnerability identified in Microsoft Windows 10 Version 1809 (build 10.0.17763.0) involving external control of file name or path, classified under CWE-73. This vulnerability specifically affects the Windows NTLM (NT LAN Manager) authentication protocol implementation. The flaw allows an unauthorized attacker to manipulate file paths or file names externally, which can lead to spoofing attacks over a network. Spoofing in this context means an attacker can impersonate a legitimate user or system component by exploiting the way NTLM handles file paths, potentially redirecting or intercepting authentication requests or responses. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector metrics reveal that the attack can be executed remotely (AV:N), requires low attack complexity (AC:L), does not require privileges (PR:N), but does require user interaction (UI:R). The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). The exploitability is rated as official (E:U), and remediation level is official fix available (RL:O) with confirmed report confidence (RC:C). No known exploits are currently observed in the wild, and no patches have been linked yet. The vulnerability could be leveraged by attackers to intercept or redirect authentication traffic, potentially gaining unauthorized access to sensitive information or systems by masquerading as trusted entities within a network environment that uses NTLM authentication. This is particularly relevant in enterprise environments where legacy authentication protocols like NTLM are still in use, especially in mixed or backward-compatible Windows networks.

Potential Impact

For European organizations, the impact of CVE-2025-24996 could be significant in environments where Windows 10 Version 1809 is still deployed and NTLM authentication is used. The vulnerability primarily threatens confidentiality by enabling attackers to spoof identities and potentially intercept sensitive authentication data. This could lead to unauthorized access to corporate resources, data breaches, and lateral movement within networks. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which often rely on legacy Windows systems and NTLM for compatibility reasons, are at higher risk. The lack of impact on integrity and availability reduces the risk of data manipulation or denial of service, but the confidentiality breach alone can have severe consequences including regulatory non-compliance under GDPR and other data protection laws. Since user interaction is required, phishing or social engineering campaigns might be used to trigger the exploit, increasing the risk in environments with less mature security awareness. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

Mitigation Recommendations

Upgrade affected systems from Windows 10 Version 1809 to a more recent, supported Windows version where this vulnerability is resolved or mitigated. Disable or restrict the use of NTLM authentication where possible, migrating to more secure authentication protocols such as Kerberos or implementing modern authentication frameworks like OAuth or SAML. Implement network segmentation and strict access controls to limit exposure of systems using NTLM to untrusted networks or users. Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous NTLM authentication patterns or spoofing attempts. Enhance user training and awareness programs to reduce the risk of social engineering attacks that could trigger user interaction required for exploitation. Monitor network traffic for unusual NTLM authentication requests or unexpected file path manipulations that could indicate exploitation attempts. Apply any forthcoming official patches or security updates from Microsoft promptly once available. Use Group Policy settings to audit and restrict NTLM usage, including enabling NTLM auditing to identify and remediate legacy authentication dependencies.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
microsoft
Date Reserved
2025-01-30T15:14:20.993Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0f81484d88663aeb37e

Added to database: 5/20/2025, 6:59:04 PM

Last enriched: 6/11/2025, 1:47:23 AM

Last updated: 7/8/2025, 8:53:09 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats