The Cybersecurity and Infrastructure Security Agency (CISA) has raised its cybersecurity alert status by adding six critical Microsoft Windows vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, with a special focus on four vulnerabilities impacting the New Technology File System (NTFS). This alert has sparked significant concerns within the cybersecurity community as these vulnerabilities allow attackers to access sensitive data, execute arbitrary code, or escalate privileges, posing substantial risks to both federal and private networks. The seriousness of this situation necessitates immediate attention and remedial action.
Newly Identified Vulnerabilities
Understanding CVE-2025-24984
One of the vulnerabilities, CVE-2025-24984, has been rated with a CVSS score of 4.6, signaling a moderate but serious risk. This particular flaw permits local attackers with physical access to a system to insert sensitive data into log files. As a result, it potentially exposes heap memory contents which can be exploited. Threat actors may use removable media, such as malicious USB drives, to extract crucial credentials or system configuration details, giving them an entry point for further attacks. The exposure of heap memory contents presents a distinct threat, as it may contain sensitive information that could be leveraged in broader network compromises.
The impact of this vulnerability was significant enough to be addressed in Microsoft’s Patch Tuesday of March 2025. While the initial risk might seem restricted by the need for physical access, the dangers escalate substantially when considering how widespread physical access to devices can be within large organizations. Additionally, the fact that this vulnerability can be exploited using USB drives makes it relatively easy for attackers to distribute the necessary tools to malicious insider operatives or unsuspecting victims.
Delving into CVE-2025-24991 and CVE-2025-24993
CVE-2025-24991, scoring 5.5 on the CVSS scale, allows unauthorized users to perform out-of-bounds reads by mounting specially crafted Virtual Hard Disks (VHDs). This flaw is particularly alarming as it enables attackers to bypass access controls and potentially exposes sensitive data, leading to data leaks. The combination of out-of-bounds reads and improperly secured VHDs means that attackers can jump past traditional security barriers, facilitating lateral movement within networks. This vulnerability has been exploited in targeted attacks, further underlining its potential impact on compromised systems and networks.
Even more concerning is CVE-2025-24993, which has a higher CVSS score of 7.8. This is a heap-based buffer overflow vulnerability, granting the attacker the ability to execute arbitrary code. Encouraging users to mount malicious VHDs has been a successful attack vector. The successful exploitation of this vulnerability can lead to significant privilege escalation, potentially up to SYSTEM-level access. This level of access is highly dangerous as it provides threat actors the ability to deploy ransomware and other malicious software with devastating effects. The exploitation of this vulnerability can thus yield catastrophic results for both federal and private networks.
Chain of Vulnerabilities
The Role of CVE-2021-31956
CVE-2021-31956 stems from a heap-based buffer overflow in the ntfs.sys driver, which arises from the processing of Extended Attributes (EAs) within NTFS. This flaw underscores the broader concern as it allows attackers to escalate privileges thanks to improper validation of user-supplied buffer sizes. The consequence is that specially crafted applications can exploit this vulnerability to gain unauthorized access and control over affected systems. The critical risk that CVE-2021-31956 represents has pushed it into the spotlight, being one of the prominent vulnerabilities that have been utilized in attack chains by malicious actors.
Attackers have been noted to chain these vulnerabilities together to conduct comprehensive network compromises. Initial access often occurs through social engineering campaigns, distributing VHD files disguised as legitimate documents. Once an attacker gains this initial access, they can exfiltrate data and escalate privileges, often leading to full network compromise. Extensive campaigns have been observed targeting organizations using malicious Microsoft Management Console (MMC) files. Reports from Trend Micro indicate that over 600 organizations faced attacks involving these vulnerabilities, highlighting their widespread and harmful nature.
Threats and Responses
The Cybersecurity and Infrastructure Security Agency (CISA) has escalated its cybersecurity alert level by including six critical vulnerabilities affecting Microsoft Windows in its Known Exploited Vulnerabilities (KEV) Catalog. Especially alarming are four vulnerabilities within the New Technology File System (NTFS). These issues have generated significant worries among cybersecurity experts, given that they can allow attackers to access sensitive information, execute arbitrary code, or elevate privileges, leading to considerable threats to both federal and private sector networks. The critical nature of these vulnerabilities demands urgent attention and swift remedial actions to prevent potential breaches. CISA advises all affected organizations to implement recommended patches and security measures promptly to mitigate these risks. The agency’s move emphasizes the increasing importance of cybersecurity vigilance in safeguarding critical infrastructure and sensitive data in a landscape where cyber threats continue to evolve and become more sophisticated.