title: Windows NTLM Credential Leak via File Download Interaction (CVE-2025-24054)
id: df00tech-cve-2025-24054
status: experimental
description: "CVE-2025-24054 is a medium-severity (CVSS 6.5 per Microsoft, 5.4 per NIST) Windows NTLM spoofing vulnerability caused by external control of file name or path (CWE-73). An attacker can leak NTLMv2 credentials by inducing a victim to download and interact with (or simply unzip) a malicious archive containing a specially crafted .library-ms, .searchConnector-ms, or similar Windows shell integration file. The interaction triggers an automatic NTLM authentication to an attacker-controlled server. CISA added this to the KEV catalog with a due date of May 8, 2025, and public exploits are available on Exploit-DB. This is closely related to CVE-2024-43451 but triggers through different file types (library files, search connectors) rather than .url shortcuts."
references:
  - https://attack.mitre.org/techniques/CVE-2025-24054/
  - https://df00tech.com/detections/CVE-2025-24054
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2025-24054
  - cve.2025-24054
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate .library-ms files deployed by enterprise software (document management, SharePoint connectors)"
  - Windows Search indexer accessing legitimate UNC paths on corporate file servers (exclude RFC1918 IPs)
  - IT tools creating library or search connector files for deployment
level: high