Microsoft Windows NTFS, heap-based buffer overflow remote code execution

Overview

CVE-2025-24993 is a heap-based buffer overflow (CWE-122) in the Windows NTFS file-system driver. The driver mishandles bounds when parsing on-disk NTFS metadata, and an oversized or malformed structure causes a write past the end of a heap allocation. Because the corrupted data sits in kernel-adjacent file-system memory, a successful overwrite can be steered into arbitrary code execution in the security context of the parsing process. Microsoft rated the issue Important with a CVSS 3.1 base score of 7.8 and confirmed it was exploited as a zero-day before patches shipped. CISA added it to the Known Exploited Vulnerabilities catalog on 11 March 2025 with a remediation due date of 1 April 2025.

The vulnerability was disclosed and patched in the March 2025 Patch Tuesday release, one of multiple NTFS and file-system zero-days that month. The same VHD-mounting attack surface was shared with related CVEs fixed in the same cycle.

Technical Details

NTFS volumes can be packaged inside a Virtual Hard Disk (VHD/VHDX) file. When a user opens or mounts such an image, the NTFS driver reads and trusts the file-system structures it contains. CVE-2025-24993 lives in this parsing path: a crafted volume contains length or offset fields that exceed the size of the heap buffer the driver allocated to hold them, and the driver copies attacker-controlled bytes past the allocation boundary.

The CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H captures the exploitation model precisely. The attack vector is local (AV:L) and no prior privileges are required (PR:N), but user interaction is required (UI:R): the victim must mount or open the malicious VHD. The most common delivery is social engineering, an email attachment, a download, or a file on removable media that the user is enticed to double-click. Once the corrupted allocation is reclaimed and reused, the attacker can achieve high-integrity code execution (C:H/I:H/A:H), making this a true remote-code-execution primitive despite the local attack vector.

Impact

• Arbitrary code execution in the context of the file-system parsing operation, with full confidentiality, integrity, and availability loss on the target host.
• A practical infection vector for malware delivered via crafted VHD/VHDX files, sidestepping some download and email defenses that do not inspect mounted disk images.
• Confirmed in-the-wild exploitation as a zero-day, raising the risk profile well above a theoretical memory-corruption bug.
• Broad exposure across the entire supported Windows client and server fleet, including legacy Server editions under Extended Security Updates.

Mitigation

1. Apply the March 2025 (or any later) cumulative security update for every affected build. Confirmed packages include KB5053598 for Windows 11 version 24H2 and Windows Server 2025, KB5053602 for Windows 11 versions 23H2 and 22H2, and KB5053606 for Windows 10 version 22H2 / 21H2.
2. For Windows Server 2016, Server 2019, Server 2022, and the 23H2 server release, install the corresponding March 2025 monthly rollup or cumulative update listed in the MSRC Security Updates table for CVE-2025-24993; for Server 2012/2012 R2 and 2008/2008 R2, apply the relevant Extended Security Update package.
3. Verify the installed build after patching (for example Windows 11 24H2 reports build 26100.3476 or later once KB5053598 is applied) and reboot to complete servicing.
4. Until every endpoint is patched, restrict mounting of untrusted VHD/VHDX files: block the .vhd and .vhdx file types at the mail gateway and web proxy, and educate users not to open disk images from unknown sources.
5. Where business need permits, deny non-administrators the ability to mount virtual disks via Group Policy or by removing the relevant privilege so a tricked standard user cannot trigger the parser.

Detection

Detection focuses on the VHD-mounting trigger and on post-exploitation behaviour, because the memory-corruption event itself leaves few direct artifacts. Start by alerting on virtual-disk mount activity from unusual contexts. Windows logs disk attach operations and the VHDMP driver activity; monitor for ImageMounted or PnP device-arrival events that correspond to a .vhd or .vhdx file launched from a browser download folder, an email attachment cache, a temp directory, or removable media. A standard user mounting a disk image immediately after receiving a file is a high-value signal.

In EDR telemetry, hunt for file-write events that create .vhd or .vhdx files in user-writable paths, followed shortly by a mount and then anomalous child processes. Because successful exploitation yields code execution, the durable indicators are the second-stage behaviours: an unexpected process spawning from a system or file-system context, suspicious DLL loads, new service or scheduled-task creation, or LSASS access. Map these to ATT&CK techniques T1203 (exploitation for client execution) and the relevant privilege and persistence techniques that follow.

Windows Error Reporting and crash telemetry are useful for catching failed or unstable exploit attempts: repeated ntfs.sys or kernel bugchecks (Stop 0x24 NTFS_FILE_SYSTEM, or general pool-corruption bugchecks) clustered around disk-image activity warrant investigation. Enable and forward kernel-mode crash dumps so analysts can confirm whether a bugcheck originated in NTFS parsing.

Network and gateway controls add coverage: log downloads of disk-image file types, and have IDS/IPS signatures for malformed NTFS structures where available (Fortinet, for example, published a dedicated IPS signature for this CVE). Finally, run authenticated vulnerability scans (Tenable, Rapid7, Qualys all ship plugins keyed to KB5053598 and siblings) to confirm patch coverage across the estate, and prioritise any host that is both unpatched and exposed to untrusted file inflows. Correlating mount events, file provenance, crash signatures, and scanner output gives reliable coverage even though the overflow leaves no clean log of its own.