Zero-Day CLFS Exploit Fuels Ransomware

Summary

Microsoft patched a Windows zero-day vulnerability, CVE-2025-29824, exploited by the Storm-2460 ransomware gang. The exploit, deployed via PipeMagic malware, escalated privileges in the Windows Common Log File System (CLFS), facilitating ransomware deployment. Organizations are urged to update their systems immediately.

Explore the data solution with built-in protection against ransomware TrueNAS.

** Main Story**

Microsoft addressed a critical zero-day vulnerability, tracked as CVE-2025-29824, in its April 2025 Patch Tuesday update. This vulnerability resides within the Windows Common Log File System (CLFS) and allows attackers to escalate privileges, paving the way for ransomware attacks. The ransomware gang known as Storm-2460, identified by Microsoft, exploited this zero-day using the PipeMagic malware.

The CLFS Vulnerability and Exploitation

The CLFS zero-day, CVE-2025-29824, is a use-after-free vulnerability in the CLFS kernel driver. Exploitation of this flaw enables attackers with standard user access to gain SYSTEM privileges, effectively granting them complete control over the compromised system. Storm-2460 utilized the PipeMagic malware to deliver and execute the exploit, subsequently deploying ransomware payloads and ransom notes. This malware, documented by Kaspersky and ESET, has a history of facilitating the exploitation of other vulnerabilities and has been observed in previous campaigns involving the Nokoyawa ransomware. In the current attacks, Microsoft observed the attackers using certutil to download a malicious MSBuild file containing the encrypted PipeMagic payload. The payload was then decrypted and executed via the EnumCalendarInfoA API callback, initiating the attack chain.

Scope of Attacks and Targeted Sectors

Microsoft’s analysis revealed a limited number of attacks targeting specific sectors across multiple countries. Victims include organizations in the IT and real estate sectors in the US, financial institutions in Venezuela, a Spanish software company, and retailers in Saudi Arabia. The attacks underscore the threat actors’ strategic targeting of diverse industries, highlighting the widespread risk posed by such vulnerabilities. While the initial access vector remains undetermined, Microsoft noted the use of compromised legitimate websites for hosting malware. This tactic makes detection more difficult, emphasizing the need for robust security measures. The diversity of targeted industries and countries suggests a financially motivated campaign seeking maximum impact.

Mitigations and Recommendations

Microsoft released security updates to address CVE-2025-29824 on April 8, 2025, and strongly urges all users to apply these patches immediately. It’s crucial to note that while the vulnerability exists in Windows 11 version 24H2, the observed exploit did not affect systems running this version due to stricter access controls on the NtQuerySystemInformation API. However, patching all systems remains critical, as attackers may develop alternative exploitation techniques.

Beyond patching, Microsoft recommends prioritizing security updates for elevation of privilege vulnerabilities as a crucial defense against ransomware. This proactive approach helps limit the impact of potential breaches by restricting attackers’ ability to escalate privileges and move laterally within a network. Organizations should also implement robust security measures, such as endpoint detection and response (EDR) and extended detection and response (XDR) solutions, to monitor system activity, detect suspicious behavior, and respond to threats effectively. Regular security audits and penetration testing can further identify and address vulnerabilities before they can be exploited. Maintaining up-to-date antivirus and anti-malware software, combined with user education and awareness training, can also strengthen defenses against evolving threats. As of April 13, 2025, information may change as new details about the attacks emerge.