Microsoft’s March 2025 Patch Tuesday update addressed a critical NTFS information disclosure vulnerability (CVE-2025-24984) actively exploited by attackers.
With a CVSS score of 4.6, this flaw allows attackers with physical access to a device to insert a malicious USB drive, triggering unintended logging of sensitive heap memory data into system logs.
While not yet linked to ransomware campaigns, the vulnerability poses significant risks for data theft and further exploitation
Vulnerability Details and Exploitation
CVE-2025-24984 stems from a flaw in how Windows NTFS handles logging, classified under CWE-532: Insertion of Sensitive Information into Log File.
Attackers exploiting this vulnerability can access fragments of heap memory—potentially exposing passwords, encryption keys, or other sensitive data.
Unlike remote exploits, this requires physical access, making it a targeted threat for organizations with lax physical security protocols.
The vulnerability is part of a broader set of NTFS flaws patched in March 2025, including three others (CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985) that involve malicious virtual hard disks (VHDs).
However, CVE-2025-24984 stands out due to its reliance on USB-based physical attacks.
Rapid7 researchers noted that successful exploitation could allow attackers to “comb through log files for privileged information,” turning minor memory leaks into valuable intel.
Mitigation and Urgency for Patching
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24984 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply fixes by April 1, 2025.
Microsoft recommends:
- Immediate installation of the March 2025 Patch Tuesday updates.
- Restricting USB access for untrusted devices to prevent physical exploitation.
- Monitoring log files for unusual activity, particularly in high-security environments.
For organizations using cloud services, adherence to CISA’s Binding Operational Directive (BOD) 22-01 is critical to ensure compliance with federal mitigation guidelines.
Tenable emphasized that while the CVSS score appears moderate, the real-world risk escalates when combined with privilege escalation exploits.
Microsoft has not disclosed the scale of active attacks but confirmed that “functional exploit code” exists in the wild.
As physical attack vectors remain a persistent threat, this patch underscores the need for layered defense strategies combining software updates with hardware access controls.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Microsoft's March 2025 Patch Tuesday update addressed a critical NTFS information disclosure vulnerability actively exploited by attackers.){kind=link}