%20(1).webp?w=1600&resize=1600,900&ssl=1)
Microsoft and cybersecurity agencies are urging immediate action to address a critical vulnerability in Windows NTFS (CVE-2025-24991) that enables attackers to extract sensitive data from systems.
The flaw, an out-of-bounds read (CWE-125), allows attackers to trick users into mounting malicious virtual hard disks (VHDs), exposing kernel memory contents like cryptographic keys or cached credentials.
With a CVSSv3 score of 5.5, this vulnerability is confirmed to be actively exploited in the wild.
Critical NTFS Vulnerability Exposes Sensitive Data
The vulnerability resides in how NTFS handles metadata parsing, failing to properly validate memory boundaries when processing specially crafted VHD files.
Attackers can exploit this by distributing malicious VHDs via phishing campaigns or compromised websites.
Once mounted, the VHD triggers an out-of-bounds read error, allowing unauthorized access to kernel memory.
Notably, this flaw is part of a broader set of NTFS vulnerabilities patched in Microsoft’s March 2025 Patch Tuesday, which included six zero-day exploits actively leveraged by threat actors.
While CVE-2025-24991 focuses on data leakage, related flaws like CVE-2025-24993 enable full remote code execution (RCE), heightening risks of system compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by April 1, 2025.
Mitigation Strategies and Urgent Patching Requirements
Microsoft and CISA recommend the following actions to mitigate risks:
- Apply Updates Immediately: Install March 2025 Patch Tuesday updates to address CVE-2025-24991 and related NTFS vulnerabilities.
- Restrict VHD Usage: Educate users to avoid mounting untrusted VHD files, as exploitation requires local interaction.
- Cloud Security Alignment: Follow CISA’s Binding Operational Directive (BOD) 22-01 for cloud environments to ensure configurations block malicious file execution.
- Monitor for Exploitation: Deploy endpoint detection tools to identify suspicious VHD-related activity.
While there’s no confirmed link to ransomware campaigns yet, the vulnerability’s exploitation in tandem with RCE flaws like CVE-2025-24993 could enable devastating attacks.
Organizations unable to patch immediately should consider temporarily disabling NTFS-dependent services or isolating critical systems.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Windows NTFS Local Code Execution Vulnerability Exploited in the Wild – CISA")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Fast FAT Vulnerability in Microsoft Windows Exploited in the Wild – CISA")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "CISA Issues Alert on Windows NTFS Vulnerability Exploits in Data Theft")
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Microsoft%20and%20cybersecurity%20agencies%20are%20urging%20immediate%20action%20to%20address%20a%20critical%20vulnerability%20in%20Windows%20NTFS%20that%20enables%20attackers.){kind=link}