Picture: nicescene/Adobe Inventory
Microsoft has detected a zero-day vulnerability within the Home windows Frequent Log File System (CLFS) being exploited within the wild to deploy ransomware. Goal industries embody IT, actual property, finance, software program, and retail, with corporations based mostly within the US, Spain, Venezuela, and Saudi Arabia.
The vulnerability, tracked as CVE-2025-29824 and rated “important,” is current within the CLFS kernel driver. It permits an attacker who already has customary person entry to a system to escalate their native privileges. The person can then use their privileged entry for “widespread deployment and detonation of ransomware within an environment,” in response to a weblog publish by the Microsoft Risk Intelligence Middle.
The CFLS driver is a key component of Home windows used to put in writing transaction logs, and its misuse might let an attacker acquire SYSTEM privileges. From there, they might steal knowledge or set up backdoors. Microsoft typically uncovers privilege escalation flaws in CFLS, the final one being patched in December.
In cases of CVE-2025-29824 exploitation noticed by Microsoft, the so-called “PipeMagic” malware was deployed earlier than the attackers might exploit the vulnerability to escalate their privileges. PipeMagic offers attackers distant management over a system and lets them run instructions or set up extra malicious instruments.
SEE: TechRepublic Unique: New Ransomware Assaults are Getting Extra Private as Hackers ‘Apply Psychological Pressure’
Who’s behind the exploitation?
Microsoft has recognized Storm-2460 because the menace actor exploiting this vulnerability with PipeMagic and ransomware, linking it to the RansomEXX group.
As soon as often known as Defray777, the attackers got here onto the scene in 2018. They’ve since focused high-profile organisations such because the Texas Division of Transportation, the Brazilian authorities, and Taiwanese {hardware} producer GIGABYTE. The group has been linked to Russian nationals.
The US’s cyber company has added the 7.8-rated vulnerability to its Identified Exploited Vulnerabilities checklist, which means that federal civilian companies are required to use the patch by April 29.
Home windows 10, Home windows 11, and Home windows Server are weak
On April 8, safety updates had been launched to patch the vulnerability in Home windows 11, Home windows Server 2022, and Home windows Server 2019. Home windows 10 x64-based and 32-bit methods are nonetheless awaiting fixes, however Redmond says they are going to be launched “as soon as possible,” and “customers will be notified via a revision to this CVE information” as quickly as they’re.
Units working Home windows 11 model 24H2 or newer can’t be exploited this manner, even when the vulnerability exists. Entry to the required system info is restricted to customers with the “SeDebugPrivilege” permission, a stage of entry usually unavailable to plain customers.
Should-read safety protection
How exploitation works
Microsoft noticed menace actors utilizing the certutil command-line utility to obtain a malicious MSBuild file onto the sufferer’s system.
This file, which carried an encrypted PipeMagic payload, was accessible on a once-legitimate third-party web site that had been compromised to host the menace actor’s malware. One area PipeMagic communicated to was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled.
As soon as PipeMagic was decrypted and run in reminiscence, the attackers used a dllhost.exe course of to leak kernel addresses, or reminiscence places, to person mode. They overwrote the method’s token, which defines what the method is allowed to do, with the worth 0xFFFFFFFF, granting it full privileges and permitting the attackers to inject code into SYSTEM-level processes.
Subsequent, they injected a payload into the SYSTEM winlogon.exe course of, which subsequently injected the Sysinternals procdump.exe software into one other dllhost.exe course of and executed it. This enabled the menace actor to dump the reminiscence of LSASS, a course of that comprises person credentials.
