CVE-2025-21197: 
vulnerability analysis and mitigation

A Windows NTFS Information Disclosure vulnerability (CVE-2025-21197) was discovered and disclosed on April 8, 2025. The vulnerability affects Windows NTFS file system and allows an authorized attacker to access file path information in folders where they don't have explicit listing permissions (NVD).

The vulnerability is classified as an Improper Access Control (CWE-284) issue. Microsoft has assigned it a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, required low privileges, no user interaction, and high confidentiality impact (NVD).

The vulnerability enables unauthorized disclosure of file path information in folders where the attacker lacks proper permissions. This could potentially lead to information disclosure and compromise of sensitive directory structures (Rapid7).

Microsoft has released security updates to address this vulnerability across multiple Windows versions, including Windows 10, Windows 11, Windows Server 2012/2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. These updates are available through various KB articles including KB5055518, KB5055519, KB5055521, KB5055523, KB5055526, KB5055527, and KB5055528 (Rapid7).