CVE-2025-24993

What is the Windows NTFS Driver?

NTFS (New Technology File System) is the primary filesystem for Windows, and the NTFS driver (ntfs.sys) is the kernel-mode component responsible for reading and writing NTFS volumes. Windows automatically invokes the NTFS driver when mounting disk images — including Virtual Hard Disk (.vhd and .vhdx) files. When a user double-clicks a .vhd file in Windows Explorer, the OS mounts it as a virtual disk and the NTFS driver parses its filesystem structures. If the .vhd contains a maliciously crafted NTFS volume, the driver's parsing code processes the attacker-controlled structures in kernel mode with full SYSTEM privileges.

Overview

CVE-2025-24993 is a heap-based buffer overflow (CWE-122) in the Windows NTFS driver triggered when Windows mounts a specially crafted .vhd or .vhdx file. A user who opens or mounts a malicious virtual disk image causes the NTFS driver to process a crafted filesystem structure, overflowing a heap buffer and enabling arbitrary code execution in the kernel. Disclosed as a zero-day in the March 2025 Patch Tuesday, CISA added it to the KEV catalog on patch day alongside three other NTFS/Windows filesystem zero-days patched the same day.

Affected Versions

Technical Details

The heap-based buffer overflow (CWE-122) occurs in the NTFS driver's filesystem structure parsing code when processing a virtual disk image. NTFS volumes store metadata in complex on-disk structures (MFT records, attribute headers, directory B-trees). When an invalid or oversized field value in one of these structures causes the driver to write beyond an allocated heap buffer, adjacent kernel heap memory is corrupted.

Exploitation delivery mechanism:

1. Attacker crafts a malicious .vhd file containing an NTFS volume with a specially constructed filesystem structure
2. Delivers it via email attachment, download link, shared network path, or USB drive
3. Victim double-clicks the .vhd file in Windows Explorer — Windows automatically mounts virtual disk images
4. The NTFS driver parses the malicious volume structure in kernel mode, triggering the heap overflow
5. Attacker-controlled data in the overflow enables SYSTEM-level code execution

Key characteristics:

• No privileges required (PR:N) — opening a file as a standard user is sufficient
• User interaction required (UI:R) — victim must open/mount the .vhd file
• Low attack complexity (AC:L) — reliable exploit possible once the malicious .vhd is crafted

Discovery

Microsoft Threat Intelligence identified active exploitation before March 2025 Patch Tuesday. The March 2025 Patch Tuesday included four simultaneously patched NTFS and filesystem-related zero-days, suggesting sustained attacker research into Windows filesystem parsing code.

Exploitation Context

Confirmed zero-day exploitation before March 11, 2025. CISA added to KEV on patch day. The .vhd file vector is particularly effective for phishing because many users are unaware that opening a disk image triggers kernel-mode filesystem parsing code — they may perceive it as simply "opening a folder." .vhd files can also be delivered inside email attachments as .zip files to bypass gateway filtering.

Remediation

1. Apply the March 2025 cumulative update for your Windows version. The CISA deadline was April 1, 2025.
2. Block .vhd and .vhdx file attachments at the email gateway — these files can trigger kernel-mode filesystem parsing and have no legitimate use as email attachments for most organizations.
3. Configure Windows Explorer to not automatically mount virtual disk images; this can be done via Group Policy to reduce automatic triggering of NTFS driver parsing.
4. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender that prevent suspicious file execution from email and download vectors.
5. Apply all March 2025 NTFS patches simultaneously — four NTFS/filesystem CVEs were patched on the same day; the full cumulative update addresses all of them.