Microsoft has issued a warning about a critical vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824, which is currently being exploited to deploy ransomware. The threat has been noted across various industries, including IT, real estate, finance, software, and retail, affecting companies in the US, Spain, Venezuela, and Saudi Arabia.
This vulnerability permits attackers who possess standard user access to escalate their privileges significantly. As a result, they can execute widespread ransomware attacks. The exploitation process involves manipulating the CLFS kernel driver, which is crucial for managing transaction logs in Windows systems. Microsoft highlighted that prior vulnerabilities related to privilege escalation in CLFS have been common, with the previous patch being issued in December.
Recent incidents observed by Microsoft reveal the use of “PipeMagic” malware, allowing attackers to control systems remotely and execute additional malicious commands.
Who is behind the exploitation?
The threat actor identified as Storm-2460 is linked to the RansomEXX group, previously known as Defray777, which has targeted major organizations since its emergence in 2018. They have been connected to attacks against entities such as the Texas Department of Transportation and the Brazilian government, with indications of involvement from Russian nationals. The US Cybersecurity and Infrastructure Security Agency (CISA) has marked this vulnerability as "known exploited," necessitating action from federal agencies by April 29.
Windows 10, Windows 11, and Windows Server are vulnerable
On April 8, Microsoft released security updates addressing this vulnerability for Windows 11 and Windows Server. However, fixes for Windows 10 systems are pending. Microsoft assures that updates will be made available as quickly as possible, and users will be informed about any developments regarding this vulnerability. Notably, Windows 11 devices running version 24H2 or later are not susceptible to the exploitation due to restricted access to necessary system data.
How exploitation works
Attackers have been utilizing the certutil command-line utility to download a compromised MSBuild file, which contained an encrypted PipeMagic payload sourced from a previously legitimate website. This payload enables attackers to gain full privileges on the target system through a series of sophisticated maneuvers, including the injection of malicious code into system processes.
After obtaining user credentials via the LSASS process, ransomware was deployed, leading to the encryption of files and the distribution of a ransom note on affected systems.
For further information, you can refer to Microsoft’s blog post and theCISA Known Exploited Vulnerabilities list.