Microsoft has detected a zero-day vulnerability within the Home windows Frequent Log File System (CLFS) being exploited within the wild to deploy ransomware. Goal industries embody IT, actual property, finance, software program, and retail, with corporations primarily based within the US, Spain, Venezuela, and Saudi Arabia.
The vulnerability, tracked as CVE-2025-29824 and rated “essential,” is current within the CLFS kernel driver. It permits an attacker who already has normal consumer entry to a system to escalate their native privileges. The person can then use their privileged entry for “widespread deployment and detonation of ransomware inside an setting,” in accordance with a weblog put up by the Microsoft Menace Intelligence Middle.
The CFLS driver is a key component of Home windows used to jot down transaction logs, and its misuse might let an attacker acquire SYSTEM privileges. From there, they might steal knowledge or set up backdoors. Microsoft typically uncovers privilege escalation flaws in CFLS, the final one being patched in December.
In cases of CVE-2025-29824 exploitation noticed by Microsoft, the so-called “PipeMagic” malware was deployed earlier than the attackers might exploit the vulnerability to escalate their privileges. PipeMagic provides attackers distant management over a system and lets them run instructions or set up extra malicious instruments.
SEE: TechRepublic Unique: New Ransomware Assaults are Getting Extra Private as Hackers ‘Apply Psychological Stress’
Who’s behind the exploitation?
Microsoft has recognized Storm-2460 because the risk actor exploiting this vulnerability with PipeMagic and ransomware, linking it to the RansomEXX group.
As soon as often called Defray777, the attackers got here onto the scene in 2018. They’ve since focused high-profile organisations such because the Texas Division of Transportation, the Brazilian authorities, and Taiwanese {hardware} producer GIGABYTE. The group has been linked to Russian nationals.
The US’s cyber company has added the 7.8-rated vulnerability to its Identified Exploited Vulnerabilities checklist, which means that federal civilian companies are required to use the patch by April 29.
Home windows 10, Home windows 11, and Home windows Server are weak
On April 8, safety updates have been launched to patch the vulnerability in Home windows 11, Home windows Server 2022, and Home windows Server 2019. Home windows 10 x64-based and 32-bit programs are nonetheless awaiting fixes, however Redmond says they are going to be launched “as quickly as attainable,” and “clients will likely be notified through a revision to this CVE info” as quickly as they’re.
Units operating Home windows 11 model 24H2 or newer can’t be exploited this manner, even when the vulnerability exists. Entry to the required system info is restricted to customers with the “SeDebugPrivilege” permission, a stage of entry sometimes unavailable to straightforward customers.
How exploitation works
Microsoft noticed risk actors utilizing the certutil command-line utility to obtain a malicious MSBuild file onto the sufferer’s system.
This file, which carried an encrypted PipeMagic payload, was out there on a once-legitimate third-party web site that had been compromised to host the risk actor’s malware. One area PipeMagic communicated to was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled.
As soon as PipeMagic was decrypted and run in reminiscence, the attackers used a dllhost.exe course of to leak kernel addresses, or reminiscence places, to consumer mode. They overwrote the method’s token, which defines what the method is allowed to do, with the worth 0xFFFFFFFF, granting it full privileges and permitting the attackers to inject code into SYSTEM-level processes.
Subsequent, they injected a payload into the SYSTEM winlogon.exe course of, which subsequently injected the Sysinternals procdump.exe instrument into one other dllhost.exe course of and executed it. This enabled the risk actor to dump the reminiscence of LSASS, a course of that accommodates consumer credentials.
Following credential theft, ransomware was deployed. Microsoft noticed information being encrypted, a random extension added, and a ransom observe named !_READ_ME_REXX2_!.txt dropped on affected programs.
