CVE-2025-24984: 
vulnerability analysis and mitigation

Microsoft Windows New Technology File System (NTFS) contains an insertion of sensitive information into log file vulnerability (CVE-2025-24984) that was discovered and disclosed on March 11, 2025. This vulnerability affects Windows NTFS and allows an unauthorized attacker to disclose information through a physical attack. The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) (NIST NVD).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). It has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating physical access is required (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity (I:N) or availability (A:N) (Microsoft MSRC).

An attacker who successfully exploits this vulnerability could potentially read portions of heap memory through physical access to the system. The vulnerability specifically affects the logging functionality in Windows NTFS, potentially exposing sensitive information stored in log files (CISA KEV).

CISA requires Federal Civilian Executive Branch (FCEB) agencies to remediate this vulnerability by April 1, 2025, in accordance with Binding Operational Directive (BOD) 22-01. Organizations are strongly urged to apply vendor-provided mitigations or follow applicable BOD 22-01 guidance for cloud services. If mitigations are unavailable, organizations should consider discontinuing use of the affected product (CISA KEV).