CVE-2025-24054

Windows NTLM Credential Leak via File Download Interaction

CVE-2025-24054 is a medium-severity (CVSS 6.5 per Microsoft, 5.4 per NIST) Windows NTLM spoofing vulnerability caused by external control of file name or path (CWE-73). An attacker can leak NTLMv2 credentials by inducing a victim to download and interact with (or simply unzip) a malicious archive containing a specially crafted .library-ms, .searchConnector-ms, or similar Windows shell integration file. The interaction triggers an automatic NTLM authentication to an attacker-controlled server. CISA added this to the KEV catalog with a due date of May 8, 2025, and public exploits are available on Exploit-DB. This is closely related to CVE-2024-43451 but triggers through different file types (library files, search connectors) rather than .url shortcuts.

Microsoft Sentinel / Defender

kusto

// CVE-2025-24054 — Windows NTLM Credential Leak via Shell Integration Files
// Detect NTLM coercion via .library-ms, .searchConnector-ms, and similar files
// Key signals: shell processes initiating outbound SMB/WebDAV auth,
//              creation of Windows shell integration file types in user dirs
let SuspiciousShellFileCreation =
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith_cs ".library-ms"
    or FileName endswith_cs ".searchConnector-ms"
    or FileName endswith_cs ".search-ms"
    or FileName endswith_cs ".mapimail"
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any ("Downloads", "Temp", "AppData", "Desktop")
| extend ThreatIndicator = "CVE-2025-24054-ShellFile-Drop";
let NTLMCoercionFromShell =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("explorer.exe", "searchprotocolhost.exe",
    "searchindexer.exe", "svchost.exe")
| where RemotePort in (445, 139, 80, 443)
| where RemoteIPType == "Public"
| where InitiatingProcessCommandLine has_any ("SearchProtocolHost", "search")
    or InitiatingProcessFileName in~ ("searchprotocolhost.exe", "explorer.exe")
| extend ThreatIndicator = "CVE-2025-24054-NTLM-Coercion";
SuspiciousShellFileCreation
| union NTLMCoercionFromShell
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceFileEvents) Microsoft Defender for Endpoint (DeviceNetworkEvents) Microsoft 365 Defender

Required Tables

DeviceFileEvents DeviceNetworkEvents

False Positives

Legitimate .library-ms files deployed by enterprise software (document management, SharePoint connectors)
Windows Search indexer accessing legitimate UNC paths on corporate file servers (exclude RFC1918 IPs)
IT tools creating library or search connector files for deployment

Last updated: 2026-04-22 Research depth: standard

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-24054 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Windows NTLM Credential Leak via File Download Interaction

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Credential Access

Popular Detections