CVE-2025-24984

What is Windows NTFS?

NTFS (New Technology File System) is the default file system for Windows. The Windows NTFS kernel driver processes all operations on NTFS-formatted volumes in kernel mode. Windows maintains various diagnostic and transaction logs (ETL traces, NTFS change journals, system event logs) that record file system activity. When the NTFS driver encounters errors or unusual conditions while processing a volume, it may record diagnostic information to these logs.

Overview

Microsoft Windows NTFS contains an information disclosure vulnerability (CWE-532 — Insertion of Sensitive Information into Log File) that allows an attacker with physical access to disclose kernel heap memory. When a specially crafted NTFS volume is inserted via physical media (USB drive, SD card, or similar) and the Windows system begins to process it, the NTFS driver logs diagnostic information that includes portions of kernel heap memory contents. An attacker can subsequently read these log files to extract memory data.

CISA added this to the KEV catalog on the same day Microsoft released the patch, indicating active exploitation in the wild at the time of disclosure.

Affected Versions

Technical Details

The vulnerability is a log file information disclosure (CWE-532) in the NTFS kernel driver. When processing a specially crafted NTFS volume, the driver generates diagnostic log entries that inadvertently include portions of the kernel heap — the same memory space that holds OS data structures, process information, and potentially security-sensitive content like cached credentials or cryptographic material.

Attack characteristics:

• Attack vector: Physical — requires inserting physical media into the target system
• No privileges required: Standard Windows behavior of processing inserted media triggers the vulnerability automatically (via AutoPlay/AutoMount)
• No user interaction required: Windows may begin processing NTFS volumes automatically upon insertion
• Delivery: USB drive, SD card, or other removable media formatted with a crafted NTFS volume
• Impact: Portions of kernel heap memory written to accessible log files; attacker reads logs post-insertion or at a later time

Exploitation scenario: An attacker briefly inserts a crafted USB drive into an unattended or briefly accessible machine (e.g., a locked workstation), then retrieves the drive. The vulnerable system has already logged kernel heap memory fragments. The attacker later reads those log files — either by accessing the same machine, by having the logs forwarded (e.g., via WEF/SIEM), or via a separate access pathway.

This class of vulnerability is particularly useful for bypassing ASLR: the disclosed heap addresses reveal the memory layout of the running kernel, enabling more precise exploitation of other memory corruption vulnerabilities.

Discovery

Microsoft credited an external security researcher in the March 2025 Patch Tuesday advisory. The same-day CISA KEV addition indicates evidence of active exploitation at the time of disclosure, which is unusual for a physical-access vulnerability and suggests use in targeted attacks.

Exploitation Context

Despite the physical access requirement (AV:P), CISA added CVE-2025-24984 to the KEV catalog on the same day as the patch (March 11, 2025), indicating confirmed in-the-wild exploitation. This suggests use in targeted scenarios such as:

• Insider threat attacks where an adversary has brief physical access to a target machine
• Evil maid attacks targeting air-gapped or high-security systems where brief physical access is possible
• Supply chain scenarios where tampered hardware or media can be inserted during shipping or maintenance
• Multi-stage attacks where physical-access disclosure is combined with remote exploitation of other vulnerabilities

The kernel heap memory disclosed by this vulnerability can be used to defeat ASLR and enable exploitation of other Windows vulnerabilities without triggering the memory randomization protections.

Remediation

1. Apply the March 2025 Patch Tuesday update — install KB updates from Windows Update or the Microsoft Update Catalog for your specific Windows version.
2. Disable AutoPlay/AutoRun for removable media — prevent Windows from automatically processing USB drives and other removable media via Group Policy (Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies).
3. Enable USB port controls — use endpoint management tools (Intune, SCCM, or hardware-level port blocking) to prevent unauthorized media insertion.
4. Monitor for unusual media insertion events — alert on USB device insertion events (Event ID 2003/2100 in Microsoft-Windows-Kernel-PnP) on sensitive systems.
5. Physical security controls — enforce locked workstation policies and ensure physical access to endpoints is logged and monitored, particularly in high-security environments.