Intro
Filesystems implementation is old complex and not very well audited by independent researchers. In this article I would like to share beautiful exploitation showcase of vulnerability that I found in Windows NTFS implementation. This vulnerabilty, CVE-2025-49689, is reachable through specific crafted virtual disk (VHD).
Adversaries use Virtual Disks in their phishing companies as containers for their malicious payloads. From user perspective Virtual Disk is just a container with files like ZIP or RAR archive. Recently my colleagues published the report about fishing attack where Virtual Disk were used. And it was just a question of time when advanced adversaries try to use Virtual Disks infrastructure for exploitation purposes.
In 2025 4 vulnerabilities used in-the-wild were reported. 2 of them were RCE and 2 of them were Informational Disclosure vulnerabilities where 1 of Informational Disclosure vulnerability was chained with RCE. 3 out of 4 vulnerabilities uses VHD as a container to reach buggy filesystem implementation. It’s impressive. In-the-wild exploits were registered for NTFS and for FastFat implementation CVE-2025-24993 and CVE-2025-24985 corresponding.
In article we discuss beautiful root-cause that leads to multiple corruptions, that fall one into another like a cascade of watefalls. In the end we discuss how it can be exploited in order to achive Escalation of Priveleges.
Let’s go!
Continue reading