Skip to content

CVE-2025-24993

NTFS — MFT metadata heap buffer overflow via crafted VHD allows RCE

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field Value
Driver ntfs.sys
Vulnerability Class Buffer Overflow / Bounds Check
Vulnerable Build 10.0.22621.4830 (KB5050021)
Fixed Build 10.0.22621.4890 (KB5051987)
Exploited ITW Yes

Affected Functions

  • NtfsReadMftRecord
  • NtfsReadFileRecord

Root Cause

AutoPiff categorizes this as bounds_check with detection rules:

  • added_len_check_before_memcpy
  • added_struct_size_validation

Exploitation

Patch Analysis

Detection

YARA Rule

rule CVE_2025_24993_NTFS {
    meta:
        description = "Detects vulnerable version of ntfs.sys (pre-patch)"
        cve = "CVE-2025-24993"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "ntfs.sys" wide ascii nocase
        $internal_name = "InternalName" wide
        $vuln_version = "10.0.22621.4830" wide ascii
        $func_read_mft = "NtfsReadMftRecord" ascii
        $func_read_file = "NtfsReadFileRecord" ascii
    condition:
        $mz at 0 and $driver_name and $internal_name and $vuln_version
}

rule CVE_2025_24993_VHD_Artifact {
    meta:
        description = "Detects VHD/VHDX file with potentially crafted MFT records"
        cve = "CVE-2025-24993"
        author = "KernelSight"
        severity = "medium"
    strings:
        $vhdx_magic = "vhdxfile" ascii
        $vhd_magic = "conectix" ascii
        $ntfs_sig = { 4E 54 46 53 20 20 20 20 }
    condition:
        ($vhdx_magic at 0 or $vhd_magic at 0) and $ntfs_sig
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-Storage VHD mount events Detects the initial attack vector -- mounting a crafted VHD containing the malicious NTFS volume
Microsoft-Windows-Ntfs MFT read errors / metadata corruption events Captures anomalous MFT record processing that triggers the heap overflow
Microsoft-Windows-Kernel-Audit Privilege escalation events Identifies privilege changes resulting from successful exploitation
Microsoft-Windows-Security-Auditing Event 4688 — Process creation Detects suspicious process spawns following VHD mount and exploitation

Behavioral Indicators

  • A user-mode process mounting a VHD/VHDX file via VirtDisk APIs (OpenVirtualDisk / AttachVirtualDisk) followed by immediate NTFS metadata parsing errors in the kernel
  • Heap buffer overflow in NonPagedPoolNx during NtfsReadMftRecord processing, observable as pool corruption bugchecks or controlled overwrites of adjacent allocations
  • Crafted MFT FILE records with attribute lengths exceeding the record allocation size, causing memcpy to write beyond the destination buffer
  • Anomalous sequence of VHD mount followed by rapid privilege escalation of the mounting process to SYSTEM
  • VHD files arriving via email, web download, or removable media with unusually small file sizes but valid NTFS formatting (indicating hand-crafted filesystem metadata)

References