CVE-2025-24985

HighCISA KEVActive ExploitationPublic PoC

Published: 11 March 2025

Published

11 March 2025

Modified

27 October 2025

KEV Added

11 March 2025

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0155 81.6th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24985 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 18.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the integer overflow vulnerability in the Windows Fast FAT Driver by requiring timely identification, reporting, and patching.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Detects systems vulnerable to CVE-2025-24985 through ongoing monitoring and scanning for known flaws in the Fast FAT Driver.

SI-16 Memory Protection partial match

prevent

Mitigates arbitrary code execution from the driver's integer overflow via memory protections like DEP and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Integer overflow in Windows Fast FAT driver enables arbitrary code execution in kernel context via malicious file or volume action (T1204.002), directly facilitating local privilege escalation to full system compromise with no initial privileges required (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally.

Deeper analysisAI

CVE-2025-24985 is an integer overflow or wraparound vulnerability (CWE-122, CWE-190) in the Windows Fast FAT Driver, a component of Microsoft Windows used for handling Fast FAT file systems. Published on March 11, 2025, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by an unauthorized local attacker with no privileges required. Exploitation involves low complexity and user interaction, such as tricking a user into opening a malicious file or performing a specific action on a Fast FAT volume. Successful exploitation allows arbitrary code execution in the context of the affected driver, potentially leading to full system compromise.

Microsoft's advisory at msrc.microsoft.com provides patching guidance through Windows Update. Vicarius offers detection and mitigation scripts specifically for this vulnerability. The issue is listed in CISA's Known Exploited Vulnerabilities catalog, indicating real-world exploitation.

Details

CWE(s): CWE-122 CWE-190
KEV Date Added: 11 March 2025

Affected Products

microsoft

windows 10 1507

≤ 10.0.10240.20947 · ≤ 10.0.10240.20947

microsoft

windows 10 1607

≤ 10.0.14393.7876 · ≤ 10.0.14393.7876

microsoft

windows 10 1809

≤ 10.0.17763.7009 · ≤ 10.0.17763.7009

microsoft

windows 10 21h2

≤ 10.0.19044.5608

microsoft

windows 10 22h2

≤ 10.0.19045.5608

microsoft

windows 11 22h2

≤ 10.0.22621.5039

microsoft

windows 11 23h2

≤ 10.0.22631.5039

microsoft

windows 11 24h2

≤ 10.0.26100.3403

microsoft

windows server 2008

all versions, r2

microsoft

windows server 2012

all versions, r2

+5 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-21418Same product: Microsoft Windows 10 1607both on KEV

CVE-2025-21180Same product: Microsoft Windows 10 1507

CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24990Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-21391Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-21369Same product: Microsoft Windows 10 1507

CVE-2026-21533Same product: Microsoft Windows 10 1607both on KEV

CVE-2025-26633Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24991Same product: Microsoft Windows 10 1507both on KEV

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24985
Patch, Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2025-24985-integer-overflow-vulnerability-in-microsoft-windows-fast-fat-driver-detection-script
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-24985-integer-overflow-vulnerability-in-microsoft-windows-fast-fat-driver-mitigation-script
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24985
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0