CVE-2025-24984
ntfs.sys — information disclosure via sensitive data in log files
Exploited in the Wild
Actively exploited zero-day. Patched alongside CVE-2025-24991 and CVE-2025-24993 in March 2025. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Information Disclosure |
| CVSS | 4.6 |
| Exploited ITW | Yes |
| Patch Date | March 11, 2025 |
Root Cause
The NTFS driver writes sensitive heap data into log files during certain file operations. An attacker with physical access can insert a crafted USB storage device containing a malicious NTFS volume that triggers the log file write, leaking kernel memory contents to a location readable from user mode.
Part of a trio of NTFS zero-days patched in March 2025 (alongside CVE-2025-24991 and CVE-2025-24993).
Exploitation
Physical access required. The attacker mounts a crafted NTFS volume (via USB or VHD) that triggers the log file write path. Sensitive kernel data lands in the log file and can be read back from user mode, giving a KASLR bypass or credential harvesting primitive.
Exploitation Primitive
Crafted NTFS volume mount → log file write path
→ kernel heap data written to log → information disclosure