🟒 CVE-2025-24993

CVE-2025-24993 is a heap-based buffer overflow in Windows NTFS that allows local code execution with user interaction required. Despite being on CISA KEV, this is a LOCAL vulnerability (CVSS AV:L/UI:R) affecting the NTFS file system, not internet-facing services.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 β€” Exploitation for Privilege Escalation
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-03-11

Added to CISA KEV: 2025-03-11 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-24993 is a heap-based buffer overflow vulnerability affecting the Windows NTFS driver, which was disclosed as part of Microsoft's March 2025 security updates [1] [5].

Below is a summary of the known details regarding this vulnerability:

Vulnerability Overview
  • Vulnerability Type: Heap-based buffer overflow (CWE-122) [1].
  • Root Cause: The vulnerability stems from improper bounds checking when the NTFS driver processes specific on-disk metadata [2]. Some reports also note an error related to accessing an object that has already been freed [4].
  • Severity: Rated as Important with a CVSS score of 7.8 [5].
Exploitation and Impact
  • Attack Method: Successful exploitation allows an attacker to achieve Remote Code Execution (RCE)?id=CVE-2025-24993?kagi_q=CVE-2025-24993. While some initial descriptions mentioned local execution, it is classified by Microsoft as an RCE vulnerability [1].
  • Requirements: As an RCE, it typically implies the potential for remote exploitation, though the specific conditions (such as user interaction or network proximity) are often detailed in the full Microsoft advisory for affected systems.
  • Impact: Successful exploitation provides the attacker with the ability to execute arbitrary code on the target system?id=CVE-2025-24993?kagi_q=CVE-2025-24993.
Exploitation Status and Availability
  • Active Exploitation: There is no widespread evidence in public reports indicating that this vulnerability was being actively exploited in the wild at the time of its disclosure in March 2025.
  • Threat Actor Usage: No specific threat actor campaigns or ransomware associations have been publicly attributed to this CVE.
  • Proof-of-Concept (PoC): Following the disclosure, researchers have shared information regarding PoC demonstrations [3].
Mitigation and Patch Status
  • Patch Status: This vulnerability was addressed in the March 2025 security updates [1].
  • Recommendation: Users and administrators should ensure their Windows systems are updated with the patches released by Microsoft in March 2025 to mitigate this risk.

Sources

  1. CVE-2025-24993 - Security Update Guide - Microsoft - Windows NTFS ...

    Released: Mar 11, 2025 Assigning CNA Microsoft CVE.org link CVE-2025-24993 Impact Remote Code Execution Max Severity Important Weakness CWE-122: Heap-based Buffer Overflow…

  2. CVE-2025-24993 - Heap-Based Buffer Overflow in Windows NTFS Explained ...

    What is CVE-2025-24993? NTFS is the default file system for Windows. It manages how files are stored, named, and accessed on the disk. The vulnerability is caused by improper bounds checking in the way the NTFS driver processes certain on-disk metadata.

  3. CVE-2025-24993: Windows NTFS Remote Code ... - LinkedIn

    Vulnerability PoC Demo Video If you need PoC code of that vulnerability, visit to https://patchpoint.io CVE-2025-24993 : Windows NTFS Remote ...

  4. MS.Windows.NTFS.CVE-2025-24993.Remote.Code.Execution

    The vulnerability is due to an error when the vulnerable software attempts to access an object that has been freed. A remote attacker may be ...

  5. Zero Day Initiative β€” The March 2025 Security Update Review - thezdi

    The March 2025 Security Update Review ; CVE-2025-24993, Windows NTFS Remote Code Execution Vulnerability, Important, 7.8, No ; CVE-2025-24983 ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed