CVE-2025-21197

Q: What is the severity of CVE-2025-21197?

CVE-2025-21197 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows an authenticated attacker to discover file paths within restricted directories on Windows NTFS systems, even without permission to list folder contents. It affects Windows systems using NTFS file systems. The attacker must have some level of system access but can bypass intended access controls.

6.5 MEDIUM

📋 TL;DR

This vulnerability allows an authenticated attacker to discover file paths within restricted directories on Windows NTFS systems, even without permission to list folder contents. It affects Windows systems using NTFS file systems. The attacker must have some level of system access but can bypass intended access controls.

💻 Affected Systems

Products:

Windows

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows with NTFS file system

Default Config Vulnerable: ⚠️ Yes

Notes: Requires NTFS file system; FAT32/exFAT not affected. Attacker must have some level of authenticated access to the system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could map sensitive directory structures, identify valuable targets for further attacks, and potentially combine with other vulnerabilities for data exfiltration or privilege escalation.

🟠

Likely Case

Information disclosure about file system structure, enabling attackers to identify valuable files and plan targeted attacks against specific data.

🟢

If Mitigated

Limited information disclosure with no direct data access; attackers gain only path information without file contents.

🌐 Internet-Facing: LOW - Requires authenticated access to the system, not directly exploitable over internet without prior compromise.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could use this to map sensitive directories and identify targets for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but appears straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21197

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft Update. 2. For enterprise: Deploy through WSUS, SCCM, or Intune. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict Access to Sensitive Directories

windows

Apply strict access controls to limit which users can access directories containing sensitive information

icacls "C:\SensitiveDirectory" /deny Users:(OI)(CI)R

Audit File System Permissions

windows

Regularly review and tighten NTFS permissions on sensitive directories

icacls "C:\*" /save perm_report.txt /T /C

🧯 If You Can't Patch

Implement strict access controls and least privilege principles for all user accounts
Monitor for unusual file system access patterns and implement enhanced logging

🔍 How to Verify

Check if Vulnerable:

Check if system is running affected Windows version with NTFS and has not applied the security update

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history shows the relevant security update installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

Unusual file system access patterns, repeated failed access attempts to restricted directories

Network Indicators:

Not network exploitable; focus on host-based detection

SIEM Query:

EventID=4663 AND ObjectType="File" AND AccessMask="ReadData" AND NOT UserName IN (authorized_users)

📊 Metadata

CVE ID: CVE-2025-21197

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 1.62% exploit probability (81.5th percentile)

Published: April 8, 2025

Last Updated: July 10, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21197 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Access to Sensitive Directories

Audit File System Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities