CVE-2025-24991

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 5 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

1.56%

probability

This CVE has a 1.56% probability of being exploited in the next 30 days.

0% Top 81.7th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

Windows NTFS Information Disclosure Vulnerability

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-125 · Out-of-bounds Read CWE-664 · Improper Control of a Resource Through its Lifetime

Google Project Zero

Patched

March 11, 2025

Reported by

Anonymous

Root Cause Analysis

???

URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days

TheHackerNews

Microsoft and Adobe Patch Tuesday, March 2025 Security Update Review

Qualys Mar 11, 2025

Microsoft patches Windows Kernel zero-day exploited since 2023

BleepingComputer Mar 12, 2025

Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws

BleepingComputer Mar 11, 2025

⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More

TheHackerNews

Signal Intelligence

Confidenceⓘ

92%

EPSS 1.56%

Mentions 5

Last Seen Mar 12, 2025

CNA Information

Analyst Note

CVE-2025-24991 is confirmed as a zero-day vulnerability patched by Microsoft in March 2025, with evidence of in-the-wild exploitation since 2023 and validation by Google Project Zero. Despite the medium CVSS score, the combination of documented exploitation history, official Microsoft patch status, and third-party security research confirmation supports a high confidence assessment.