The CISA heightened its cybersecurity warning by including six critical Microsoft Windows vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog, with four specifically impacting the New Technology File System (NTFS).
These weaknesses identified as CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2021-31956 give malicious actors the ability to reach sensitive information, run code arbitrarily, or escalate privileges, creating significant risks for both government and private networks.
All these vulnerabilities have been addressed in the Microsoft Patch Tuesday release for March 2025, which came out earlier today.
Summary of Windows NTFS Vulnerabilities
CVE-2025-24984: NTFS Information Disclosure Vulnerability
This vulnerability (CVSS 4.6) allows local attackers with physical access to introduce sensitive data into log files, potentially revealing heap memory contents.
By utilizing removable media like malevolent USB drives, adversaries could retrieve credentials or system configuration information stored in memory.
The vulnerability arises from inadequate logging practices within NTFS, categorized under CWE-532: Insertion of Sensitive Information into Log File.
CVE-2025-24991: NTFS Out-of-Bounds Read Vulnerability
Scoring 5.5 on the CVSS scale, this weakness allows unauthorized users to conduct out-of-bounds reads (CWE-125) by mounting a specially crafted Virtual Hard Disk (VHD).
A successful exploit can bypass access controls, leaking file structures or uninitialized memory portions that could assist in lateral movement.
Microsoft verified the anonymous disclosure of this vulnerability, acknowledging its exploitation in limited, targeted assaults.
CVE-2025-24993: NTFS Heap-Based Buffer Overflow
With a CVSS rating of 7.8, this heap-based buffer overflow (CWE-122) allows local attackers to execute arbitrary code by deceiving users into mounting a malicious VHD.
The overflow corrupts memory structures, enabling a privilege escalation to SYSTEM-level access, a critical pathway for ransomware deployment.
CISA emphasized its active exploitation in attacks using multi-staged payloads.
CVE-2021-31956 : NTFS Privilege Escalation Vulnerability
CVE-2021-31956 originates from a heap-based buffer overflow in the NtfsQueryEaUserEaList function of ntfs.sys, the Windows NTFS driver.
The defect occurs during the processing of Extended Attributes (EAs), where improper validation of user-supplied buffer sizes allows for integer underflows.
A successful exploit enables attackers to boost privileges through a specially crafted application.
Methodology of Attack and Patterns of Exploitation Observed
Adversaries link these vulnerabilities to infiltrate networks. For instance:
Initial Access: Social engineering endeavors distribute VHD files disguised as legitimate documents.
Data Exfiltration: CVE-2025-24984 extracts credentials from memory logs, while CVE-2025-24991 maps network file systems.
Privilege Escalation: CVE-2025-24993, CVE-2021-31956 provide administrative rights, enabling mechanisms of persistence or ransomware deployment.
Researchers at Trend Micro documented over 600 entities targeted via nefarious Microsoft Management Console (MMC) files exploiting CVE-2025-26633, another KEV-listed flaw frequently paired with NTFS vulnerabilities.
Strategies for Mitigation
CISA directs federal agencies to address these vulnerabilities by April 1, 2025, as per Binding Operational Directive (BOD) 22-01. Recommended measures encompass:
Patch Management: Implement Microsoft’s latest Patch Tuesday updates immediately, covering 67 vulnerabilities, including seven zero-days.
Network Segmentation: Isolate dated systems operating Windows Server 2008 or unsupported FAT32 drivers.
User Training: Educate staff on detecting phishing endeavors distributing malicious VHD/MSC files.
As quoted by CISA Director Jen Easterly “These vulnerabilities are not theoretical—they are actively being weaponized.”
The combination of NTFS vulnerabilities with privilege escalation paths like CVE-2025-24983 (Win32k use-after-free) creates an ideal scenario for corporate breaches, necessitating immediate action.
In a landscape where 23% of KEV entries relate to file system vulnerabilities, the advisories of March 2025 serve as a stark reminder: patch, segregate, and validate—before malefactors exploit the loopholes.
The post CISA Warns of Windows NTFS Vulnerability Actively Exploited to Access Sensitive Data appeared first on Cyber Security News.