About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability

About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability. It was patched in the March Microsoft Patch Tuesday. VM vendors didn’t mention this vulnerability in their reviews; it was only known to be exploited via user interaction with a malicious file.

A month later, on April 16, Check Point published a blog post with technical details, revealing that the vulnerability is exploited using specially crafted files…

✋ Wait a minute — there was a trending vulnerability in March MSPT: CVE-2025-24071, related to the same files. 🤔 Turns out, it’s THE SAME vulnerability. 🤪 Check Point reports: “Microsoft had initially assigned the vulnerability the CVE identifier CVE-2025-24071_, but it has since been updated to_ CVE-2025-24054_“._ What a mess. 🤷‍♂️ Technical details in the previous post.

👾 Since March 19, Check Point has tracked about 11 campaigns exploiting this vulnerability to collect NTLMv2-SSP hashes.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.