CVE-2025-24991 is a vulnerability classified as CWE-125 (Out-of-bounds Read) affecting the NTFS file system driver in Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The flaw allows an authorized attacker with local access to perform an out-of-bounds read operation, which can lead to disclosure of sensitive information residing in memory. This vulnerability requires the attacker to have local user privileges and to interact with the system (e.g., opening a specially crafted file or triggering a specific NTFS operation). The vulnerability does not require elevated privileges, but it does not allow modification or disruption of system operations, limiting its impact to confidentiality breaches only. The CVSS 3.1 base score is 5.5, reflecting medium severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), no integrity or availability impact (I:N/A:N), and functional exploit code (E:F) with official remediation (RL:O) and confirmed report confidence (RC:C). No public exploits are known at this time, and no patches have been released, though the vulnerability has been officially published and tracked by CISA. The vulnerability arises from improper bounds checking in NTFS processing code, which can cause the system to read memory beyond intended buffers, potentially leaking sensitive data such as kernel memory or user data.

For European organizations, this vulnerability poses a risk primarily to confidentiality, as attackers with local access could extract sensitive information from memory. This could include credentials, cryptographic keys, or other sensitive data stored in memory buffers related to NTFS operations. While the vulnerability does not allow privilege escalation or system disruption, the exposure of confidential data could facilitate further attacks or data breaches. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, where sensitive data is processed and stored on Windows 10 Version 1809 systems, are particularly at risk. The requirement for local access and user interaction limits remote exploitation, but insider threats or compromised endpoints could be leveraged to exploit this vulnerability. The lack of a patch increases the window of exposure, emphasizing the need for proactive mitigation. Additionally, legacy systems still running Windows 10 Version 1809, which is an older release, may be more vulnerable due to reduced vendor support and patching frequency.

1. Restrict local user access: Limit the number of users with local access to Windows 10 Version 1809 systems, especially those handling sensitive data. 2. Apply principle of least privilege: Ensure users operate with minimal privileges necessary to reduce potential attack vectors. 3. Monitor and audit local activity: Implement enhanced logging and monitoring of local file system operations and user activities to detect suspicious behavior indicative of exploitation attempts. 4. Disable or restrict use of NTFS features that may be exploited if feasible, or isolate critical systems to reduce exposure. 5. Maintain up-to-date endpoint protection and behavioral detection tools capable of identifying anomalous memory reads or file system access patterns. 6. Plan and prioritize upgrading affected systems to a more recent, supported Windows version with active security updates. 7. Once Microsoft releases an official patch, deploy it promptly across all affected systems. 8. Educate users about the risks of opening untrusted files or performing unverified operations that could trigger the vulnerability. 9. Use application whitelisting and restrict execution of unauthorized code to reduce risk of local exploitation. 10. Employ network segmentation to limit lateral movement from compromised endpoints.