CVE-2025-24984
ntfs.sys -- information disclosure via sensitive data in log files
Exploited in the Wild
Actively exploited zero-day. Patched alongside CVE-2025-24991 and CVE-2025-24993 in March 2025. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Information Disclosure |
| CVSS | 4.6 |
| Exploited ITW | Yes |
| Patch Date | March 11, 2025 |
Root Cause
March 2025 brought a trio of NTFS zero-days, each targeting a different aspect of the filesystem driver's handling of crafted volumes. CVE-2025-24984 is the most unusual of the three: rather than a memory corruption bug, it is an information disclosure where the NTFS driver inadvertently writes sensitive kernel heap data into log files.
The vulnerability triggers during certain file operations on a crafted NTFS volume. When the NTFS driver processes metadata from such a volume, it writes heap contents, which may include kernel addresses, fragments of other processes' data, or security tokens, into a log file. The log file is readable from user mode, allowing an attacker to harvest the leaked data.
The attack vector requires physical access: the attacker must get the target to mount a malicious NTFS volume, either by inserting a crafted USB storage device or by tricking the user into mounting a VHD file. The CVSS score of 4.6 reflects the physical access requirement, but in targeted attack scenarios (evil maid, supply chain), this constraint is often satisfiable.
This vulnerability was patched alongside CVE-2025-24991 (OOB read) and CVE-2025-24993 (heap overflow), all sharing the same attack vector of crafted NTFS volumes.
Exploitation
The attacker prepares a USB device (or VHD file) containing a carefully crafted NTFS volume. The volume's metadata is structured to trigger the specific code path where the NTFS driver writes heap data to a log file.
When the victim inserts the USB device or mounts the VHD, the NTFS driver parses the malicious metadata and writes kernel heap contents to the log. The attacker then reads the log file from user mode to extract sensitive information.
The leaked data is most valuable as a KASLR bypass: kernel base addresses revealed in the log eliminate address space randomization, enabling reliable exploitation of separate memory corruption bugs. In some cases, the heap leak could also expose credential material or other sensitive process data.
Exploitation Primitive
Crafted NTFS volume (USB or VHD) mounted by victim
--> NTFS driver processes malicious metadata
--> kernel heap data written to user-readable log file
--> KASLR bypass or credential harvesting
Broader Significance
CVE-2025-24984 is notable because it turns a filesystem driver's own logging mechanism into an information disclosure channel. The NTFS driver's log files were meant for debugging and recovery, not as a side channel for leaking kernel memory. When combined with the two companion NTFS zero-days from the same patch cycle, the picture is clear: crafted filesystem volumes are a potent attack vector because they trigger complex parsing paths in kernel code that runs with full privileges. The physical access requirement limits the bug's utility in remote attacks, but in targeted scenarios involving physical presence, it provides exactly the information an attacker needs to chain with a memory corruption exploit.