In a significant security advisory, Microsoft has reported that the notorious RansomEXX ransomware gang is actively exploiting a high-severity zero-day vulnerability in the Windows Common Log File System. This vulnerability, designated as CVE-2025-29824, allows attackers to gain SYSTEM privileges on the systems of their victims, raising serious concerns for organizations worldwide.
The CVE-2025-29824 vulnerability is characterized by a use-after-free flaw, which permits local attackers with minimal privileges to escalate their access without requiring any user interaction. Microsoft confirmed that this vulnerability was addressed during this month's Patch Tuesday updates. However, the company indicated a delay in releasing patches for Windows 10 x64 and 32-bit systems, committing to provide these fixes as soon as possible. Fortunately, users operating on Windows 11, version 24H2 are not affected by this specific exploitation, even though the vulnerability exists.
The RansomEXX gang has been targeting various sectors, including organizations in the information technology and real estate sectors in the United States. Additionally, victims have been identified in the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft has urged all customers to implement the necessary updates promptly to safeguard their systems.
Microsoft has attributed these attacks to the RansomEXX ransomware gang, which it tracks under the identifier Storm-2460. Initial infiltration of compromised systems was achieved through the installation of the PipeMagic backdoor malware. This malicious software was then used to deploy the CVE-2025-29824 exploit, alongside ransomware payloads, culminating in the delivery of ransom notes labeled !_READ_ME_REXX2_!.txt after file encryption.
As reported by ESET last month, the PipeMagic malware has also been utilized to execute exploits targeting another Windows Win32 Kernel Subsystem zero-day, tracked as CVE-2025-24983, since March 2023. Discovered by Kaspersky in 2022, this malware is capable of harvesting sensitive data, granting full remote access to infected devices, and facilitating the deployment of additional malicious payloads, thus enabling attackers to navigate laterally through victims' networks.
The RansomEXX ransomware operation, which initially emerged as Defray in 2018, underwent rebranding to RansomEXX and has displayed increased activity since June 2020. The gang's sophisticated methods and the exploitation of various vulnerabilities underscore the critical need for organizations to remain vigilant and apply security updates promptly to mitigate potential risks.
