Sensitive Information Disclosure in Windows NTFS by Microsoft
CVE-2025-24984

4.6MEDIUM

Key Information:

Vendor

Microsoft
Status
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (server Core Installation)
Windows Server 2022
Vendor
CVE Published:
11 March 2025

Badges

👾 Exploit Exists🟣 EPSS 19%🦅 CISA Reported📰 News Worthy

What is CVE-2025-24984?

The vulnerability in Windows NTFS enables attackers to gain unauthorized access to sensitive information by exploiting an issue that allows the insertion of confidential data into log files. This could potentially be leveraged in scenarios where a physical attack occurs, leading to the exposure of sensitive information.

CISA has reported CVE-2025-24984

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-24984 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Windows 10 Version 1507 32-bit Systems 10.0.10240.0 < 10.0.10240.20947

Windows 10 Version 1607 32-bit Systems 10.0.14393.0 < 10.0.14393.7876

Windows 10 Version 1809 32-bit Systems 10.0.17763.0 < 10.0.17763.7009

News Articles

favicon imageCISA (.gov)

CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation

favicon imageCyberScoop

Microsoft patches 57 vulnerabilities, including 6 zero-days

More than three-quarters of the vulnerabilities covered in the vendor’s monthly Patch Tuesday update are high-severity flaws.

favicon imageThe Stack

Windows kernel bug exploited in the wild for two years

A Windows kernel vulnerability patched today by Microsoft has been actively exploited in the wild for two years, claims security firm ESET.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

EPSS Score

19% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • đź‘ľ

    Exploit known to exist

  • 🦅

    CISA Reported

  • đź“°

    First article discovered by Zero Day Initiative

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-24984 : Sensitive Information Disclosure in Windows NTFS by Microsoft