Overview

Microsoft has fixed a serious Windows Vulnerability issue in the Windows Common Log File System (CLFS). This flaw was used as a zero-day exploit in ransomware attacks targeting a handful of organizations around the world. The attacks affected companies in the IT and real estate sectors in the United States, a financial firm in Venezuela, a Spanish software company, and a retail business in Saudi Arabia.

You might be interested in: Outlaw Botnet: A Growing Crypto Threat

Details of the Vulnerability

The security hole, known as CVE-2025-29824, allowed cybercriminals to gain SYSTEM-level privileges, which means they could take nearly full control of a computer system. Microsoft addressed the problem with its April 2025 Patch Tuesday update. The attack campaign, dubbed Storm-2460 by Microsoft, was carried out using a malware tool called PipeMagic.

How the Attack Worked

Attackers used a compromised MSBuild file that carried an encrypted payload. Once run, this file unpacked the payload and launched PipeMagic, a trojan that has been active since 2022. PipeMagic, which operates as a plugin-based tool, helped deliver both the privilege escalation exploit and the ransomware payload. Similar tactics have been seen before with another CLFS flaw (CVE-2023-28252) linked to Nokoyawa ransomware and a different zero-day (CVE-2025-24983) patched last month.

The Exploit Process

Microsoft’s security team explained that the exploit takes advantage of a weakness in the CLFS kernel driver. The attack uses a bug to corrupt memory and changes the process token to a value that grants full privileges. This allows the malicious process to inject code into system processes. After gaining control, the attackers dumped the memory of the Local Security Authority Subsystem Service (LSASS) to steal credentials and then encrypted files on the system, using random file extensions.

Additional Insights

Security experts, including those at Kaspersky, have observed that some attacks first infect the victim’s machine with a custom backdoor called PipeMagic launched via an MSBuild script. This step is taken before the CLFS exploit is used, ensuring that the attackers have the necessary privileges to spread their ransomware more widely. Although Microsoft could not secure a sample of the ransomware for analysis, the ransom note that appeared after the attacks included a TOR address linked to the RansomEXX ransomware group.

Affected Windows Versions

It’s important to note that Windows 11, version 24H2, is not at risk. In this version, access to certain system functions is restricted to users with administrative rights, which helps block this type of exploit.

Conclusion

Microsoft’s quick response in patching CVE-2025-29824 underscores the ongoing challenge of stopping cybercriminals who use advanced methods like PipeMagic and memory corruption exploits. This incident is a reminder of the critical need for regular security updates and vigilance to protect against such multi-step attacks.