CVE CyberSecurity Database News

CVE-2025-24984 - Insertion of Sensitive Information into NTFS Log Files Exposes Windows Data to Physical Attackers

Poster -

---

Introduction

A new security issue, CVE-2025-24984, has been discovered in Microsoft Windows operating systems that use the NTFS file system. This vulnerability comes from improper handling of sensitive data, which can end up inside NTFS transaction log files. If an attacker gains physical access to a computer, they could retrieve passwords, private keys, or other secret information, even without logging in. Let’s break down what this means, how it works, and what users and administrators can do.

What is the Vulnerability?

Summary:
On computers running Windows NTFS, certain sensitive information handled by applications or system tools may be accidentally written into the NTFS log file ($LogFile). Because this file keeps records of file system operations to recover from crashes, it can contain raw snippets of file data—including, in some cases, secrets that should never be written to disk.

If an unauthorized person gets physical access to the computer—for example, by stealing the hard drive—they can access the NTFS log and look for secrets.

How Does the Exploit Work?

When Windows saves changes to disk, it often writes raw data blocks to the NTFS logs before they’re finalized. Applications may handle sensitive data in memory or temporary files. If the log records are not properly sanitized, fragments of information like passwords could end up inside $LogFile.

The system deletes or overwrites the original file, but the NTFS log still contains the secret.

5. An attacker with physical access mounts the drive elsewhere, parses $LogFile, and finds the secret.

Code Snippet: How Attackers Parse NTFS Log Files

Attackers often use Python to parse low-level NTFS structures. Here’s a simplified snippet that scans $LogFile for keywords like "password":

import os

def search_logfile(drive_letter, keyword):
    logfile_path = f"{drive_letter}:\\$LogFile"
    with open(logfile_path, "rb") as f:
        content = f.read()
    hits = [hex(i) for i in range(len(content)) if content[i:i+len(keyword)] == keyword.encode()]
    print(f"Found occurrences of '{keyword}' at: {hits}")

search_logfile("E", "password")

Note: Accessing $LogFile on a live Windows system may be restricted. Attackers would usually plug the disk into a Linux system or use forensic tools.

Internal tokens, API secrets, or proprietary info

Even systems with disk encryption can be vulnerable if unlocked at the time of attack, or if encryption is not properly managed.

Encrypt all drives: Use BitLocker or similar tools to encrypt content at rest.

- Clear sensitive data securely: Applications should erase secrets from files/memory after use.

References

- Microsoft Security Response Center
- NTFS Log File System Forensics Analysis
- The Forensics Wiki: NTFS $LogFile
- CVE-2025-24984 (NVD entry) *(placeholder)*

Conclusion

CVE-2025-24984 highlights a fundamental problem with sensitive data handling in Windows NTFS log files. While abuse of this vulnerability requires physical or low-level access, it shows the importance of encryption and proper handling of secrets in applications. Until a thorough patch is released, admins should review their security posture and minimize the risk of secrets leaking into disk logs.

*Stay alert. Patch early. And treat every device as if someone, somewhere, will one day have physical access to it.*

Timeline

Published on: 03/11/2025 17:16:34 UTC
Last modified on: 03/21/2025 00:30:14 UTC