Cyber Posture

CVE-2025-24991

MediumCISA KEVActive Exploitation

Published: 11 March 2025

Published
11 March 2025
Modified
27 October 2025
KEV Added
11 March 2025
Patch
CVSS Score 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0144 80.9th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24991 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 19.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the out-of-bounds read flaw in Windows NTFS through application of Microsoft patches.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

Requires scanning for CVE-2025-24991 vulnerabilities in Windows systems to identify and prioritize patching needs.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Ensures organizations obtain and act on security advisories from Microsoft MSRC and CISA KEV catalog for this actively exploited vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

The out-of-bounds read in NTFS directly enables local disclosure of sensitive information from the system, mapping to Data from Local System.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally.

Deeper analysisAI

CVE-2025-24991 is an out-of-bounds read vulnerability (CWE-125) in the Windows NTFS file system. It affects Windows operating systems that utilize NTFS and was published on 2025-03-11 with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by a local attacker requiring no privileges, though user interaction is necessary and attack complexity is low. Successful exploitation allows the attacker to disclose sensitive information locally with high confidentiality impact, without affecting integrity or availability.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24991 provides details on the vulnerability and mitigation recommendations, including available patches. It is also listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24991, indicating active exploitation in the wild.

Details

CWE(s)
CWE-125
KEV Date Added
11 March 2025

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20947 · ≤ 10.0.10240.20947
microsoft
windows 10 1607
≤ 10.0.14393.7876 · ≤ 10.0.14393.7876
microsoft
windows 10 1809
≤ 10.0.17763.7009 · ≤ 10.0.17763.7009
microsoft
windows 10 21h2
≤ 10.0.19044.5608 · ≤ 10.0.19044.5608 · ≤ 10.0.19044.5608
microsoft
windows 10 22h2
≤ 10.0.19045.5608 · ≤ 10.0.19045.5608 · ≤ 10.0.19045.5608
microsoft
windows 11 22h2
≤ 10.0.22621.5039 · ≤ 10.0.22621.5039
microsoft
windows 11 23h2
≤ 10.0.22631.5039 · ≤ 10.0.22631.5039
microsoft
windows 11 24h2
≤ 10.0.26100.3403 · ≤ 10.0.26100.3403
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-24984Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-26633Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24054Same product: Microsoft Windows 10 1507both on KEV
CVE-2026-25181Same product: Microsoft Windows 10 1607
CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24990Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-21418Same product: Microsoft Windows 10 1607both on KEV
CVE-2025-49687Same product: Microsoft Windows 10 1507

References