Critical NTFS Vulnerability (CVE-2025-49689) Uncovered: Local Attacker Can Gain SYSTEM Privileges in Windows 11
A researcher at Positive Technologies has uncovered a critical vulnerability in the implementation of the NTFS file system, which enables a local attacker to escalate privileges to SYSTEM by leveraging a specially crafted virtual hard disk (VHD). The flaw has been assigned CVE-2025-49689 and affects Windows 11 version 22H2.
The root of the issue lies in the Log File Service (LFS) mechanism used by NTFS to manage transactional journaling. During disk mounting, NTFS invokes a chain of functions — ntfs!NtfsMountVolume → ntfs!InitializeRestartState → ntfs!ReadRestartTable — where improper handling of the ClientDataLength field within the LFS_RECORD structure occurs. If this field is set to 0xFFFFFFFF, it triggers an integer overflow during record length computation, bypassing critical validation.
This leads to out-of-bounds memory reads and the subsequent copying of a large memory region via memmove, allowing data from beyond the allocated buffer in $LogFile to be accessed. To exploit the vulnerability, an attacker must manipulate LFS structures within a VHD and circumvent the Lfcb->CachedRestartArea caching mechanism, thereby forcing the system to parse a forged RESTART_AREA containing a spoofed attribute table.
The attack can be further advanced by forging the OPEN_ATTRIBUTE_DATA structure, which includes a pointer to the SCB — the Stream Control Block object. NTFS utilizes this structure in NtfsCloseAttributesFromRestart, where it interacts with an AVL tree through the call to RtlDeleteElementGenericTableAvl.
This function call provides an opportunity to hijack execution via the CompareRoutine callback, enabling the arbitrary writing of data to any memory address within the kernel. The researcher leverages RtlpFcBufferManagerReferenceBuffers to gain control over the tree and implement a write-what-where primitive.
For reliable exploitation, the IO_RING mechanism is used to overwrite buffer pointers within the _IORING_OBJECT structure, thereby achieving arbitrary kernel memory writes. Additionally, a pipe-based memory allocation technique is employed to bypass SMEP and SMAP protections, alongside a forged pointer chain: SCB → FCB → VCB.
These capabilities not only allow attackers to read kernel memory but also to execute arbitrary code with the highest privileges. The proof-of-concept demonstration uses a classic technique — replacing the user’s token with that of SYSTEM.
The exploit remains effective even in environments where Control Flow Guard (CFG) and Hypervisor-Enforced Code Integrity (HVCI) are enabled, making the threat particularly severe. The researcher outlines potential improvements for exploitation reliability, including precise memory exhaustion control, SMAP bypassing, and avoiding early kernel crashes before gaining necessary execution context.
As of the time of publication, Microsoft has not issued a security update. Users are strongly advised to avoid mounting VHD files from untrusted sources and to monitor system activity related to $LogFile operations.
