CVE-2025-24991

What is Windows NTFS?

NTFS (New Technology File System) is the default file system for Windows operating systems. The Windows NTFS kernel driver (ntfs.sys) handles all parsing and processing of NTFS-formatted volumes — including local drives, USB drives, network shares, and mounted disk image files (VHD/VHDX/ISO). Because NTFS parsing occurs in kernel mode, vulnerabilities in the NTFS driver can expose kernel memory to user-space attackers.

Overview

Microsoft Windows NTFS contains an out-of-bounds read vulnerability (CWE-125) that allows an attacker to disclose memory contents. When a Windows system processes a specially crafted NTFS volume, the NTFS driver reads beyond the intended buffer boundary, exposing memory contents from adjacent kernel memory regions to the calling user-space process.

Exploitation requires a user to interact with a malicious volume — for example, by opening a crafted disk image file (VHD, VHDX, or IMG), mounting a USB drive, or accessing a malicious SMB share. CISA added this to the KEV catalog on the same day Microsoft released the patch, indicating active exploitation in the wild at the time of disclosure.

Affected Versions

Technical Details

The vulnerability is a classic out-of-bounds read (CWE-125) in the NTFS volume parsing logic within the kernel-mode ntfs.sys driver. NTFS volumes contain complex metadata structures — MFT (Master File Table) records, attribute lists, index buffers, and more. A specially crafted NTFS volume can embed malformed metadata that causes the parser to read beyond the intended structure boundary.

Attack characteristics:

• Attack vector: Local — the attacker must deliver a malicious NTFS volume to the target system
• No privileges required: A standard user can trigger the vulnerability by opening a crafted file
• User interaction required: The victim must interact with the malicious volume (open/mount a crafted VHD or similar)
• Delivery vectors: USB drives, emailed VHD/VHDX attachments, disk images downloaded from the web, malicious SMB shares, or ISO files
• Impact: High confidentiality impact — kernel memory disclosed to user space; no integrity or availability impact

The same class of NTFS parsing vulnerabilities (e.g., CVE-2025-24984, patched in the same Patch Tuesday cycle) demonstrates active attacker interest in Windows file system driver bugs as information disclosure primitives, which can be combined with other vulnerabilities for privilege escalation chains.

Discovery

Microsoft credited an external security researcher in the March 2025 Patch Tuesday advisory. The same-day KEV addition indicates CISA had evidence of active exploitation at the time of disclosure, suggesting the vulnerability may have been under targeted attack before the patch was available.

Exploitation Context

CISA added CVE-2025-24991 to the KEV catalog on the same day Microsoft released the patch (March 11, 2025), indicating confirmed in-the-wild exploitation at disclosure time. The local attack vector and user-interaction requirement suggest use in targeted attacks where an attacker can socially engineer a user to open a crafted disk image, or in scenarios where an attacker has already achieved some level of access and can plant a malicious volume.

Information disclosure vulnerabilities in kernel drivers are frequently used as components in multi-stage attack chains, providing memory layout information needed to bypass ASLR for subsequent exploitation steps.

Remediation

1. Apply the March 2025 Patch Tuesday update — install KB updates from Windows Update or the Microsoft Update Catalog for your specific Windows version.
2. Exercise caution with disk images — avoid opening untrusted VHD, VHDX, IMG, or ISO files, especially those received via email or downloaded from unfamiliar sources.
3. Block AutoPlay/AutoRun — disable automatic mounting of removable media via Group Policy to reduce USB-based attack surface.
4. Monitor for unusual NTFS volume access — review logs for unexpected mounting of network shares or disk images from non-standard locations.