CVE-2025-24985

What is the Windows Fast FAT File System Driver?

The Windows Fast FAT File System Driver (fastfat.sys) is the kernel-mode driver responsible for reading and writing FAT12, FAT16, and FAT32 file systems — legacy filesystem formats used on USB drives, floppy disks, memory cards, and older storage media. Windows automatically loads and invokes fastfat.sys when it mounts any FAT volume, including when a user double-clicks a Virtual Hard Disk (.vhd or .vhdx) file that contains a FAT-formatted volume. Like the NTFS driver, fastfat.sys processes user-supplied filesystem structures in kernel mode with full SYSTEM privileges.

March 2025 Patch Tuesday was notable for a cluster of simultaneous filesystem driver zero-days: CVE-2025-24985 (Fast FAT integer overflow), CVE-2025-24993 (NTFS heap overflow), and CVE-2025-24990 (Agere Modem Driver) were all patched together, suggesting sustained attacker research into Windows filesystem parsing code.

Overview

CVE-2025-24985 is an integer overflow vulnerability (classified as CWE-122 heap buffer overflow in NVD) in the Windows Fast FAT File System Driver (fastfat.sys). A user who opens or mounts a specially crafted disk image containing a malicious FAT volume causes the driver to process an integer computation that overflows, leading to heap memory corruption and enabling arbitrary code execution in the kernel. Disclosed as a zero-day in the March 2025 Patch Tuesday, CISA added it to the KEV catalog on patch day alongside three other Windows filesystem/driver zero-days patched the same day.

Affected Versions

Technical Details

The integer overflow occurs in fastfat.sys during parsing of FAT volume metadata structures. FAT file systems store critical layout information (cluster count, bytes per sector, FAT table locations, root directory entries) in the Volume Boot Record (VBR) and BIOS Parameter Block (BPB). An oversized or specially crafted value in one of these fields causes an arithmetic computation in the driver to overflow a fixed-size integer type (e.g., a 32-bit multiply resulting in a value larger than UINT32_MAX), producing a wrapped-around result that is used to size or index a heap allocation. The resulting incorrect size causes heap memory to be written beyond its bounds, corrupting adjacent kernel heap structures.

Exploitation delivery mechanism:

1. Attacker crafts a .vhd or .img file containing a FAT-formatted volume with malformed BPB/VBR fields
2. Delivers via phishing (email attachment, download link, USB)
3. Victim opens the file — Windows Explorer automatically mounts the virtual disk and invokes fastfat.sys
4. The driver processes the malformed FAT structures in kernel mode, triggering the overflow
5. Kernel heap corruption enables SYSTEM-level code execution

Key characteristics:

• No privileges required (PR:N) — standard user opening a file is sufficient
• User interaction required (UI:R) — victim must open or mount the disk image
• Low attack complexity (AC:L) — reliable exploit possible once the malicious disk image is crafted
• Pairs with NTFS zero-day CVE-2025-24993 as an alternative filesystem exploitation vector

Discovery

Microsoft Threat Intelligence identified active exploitation before March 2025 Patch Tuesday. The simultaneous patching of multiple filesystem driver zero-days in one Patch Tuesday reflects coordinated attacker research.

Exploitation Context

Confirmed zero-day exploitation before March 11, 2025. CISA added to KEV on patch day. The FAT filesystem exploitation vector complements NTFS (CVE-2025-24993) patched the same day — attackers who knew the NTFS vector might use FAT as a fallback on systems with alternative disk image associations. .vhd and .img files are effective phishing delivery mechanisms as many users are unaware that opening these files triggers kernel-mode filesystem parsing.

Remediation

1. Apply the March 2025 cumulative update for your Windows version. The CISA deadline was April 1, 2025.
2. Block .vhd, .vhdx, and .img file attachments at the email gateway — these trigger automatic kernel-mode filesystem driver invocation when opened.
3. Apply all March 2025 filesystem patches from the same cumulative update: CVE-2025-24985 (Fast FAT), CVE-2025-24993 (NTFS), and CVE-2025-24990 (Agere Modem Driver).
4. Restrict auto-mount behavior via Group Policy to prevent Windows Explorer from automatically mounting virtual disk images.
5. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender to block suspicious file execution from email and download vectors.