MalwareZero-Day
sysops

A critical zero-day vulnerability in the Windows Common Log File System (CLFS) has been uncovered and is being actively exploited by a ransomware group.

The vulnerability Tracked as CVE-2025-29824, this elevation of privilege flaw has been targeted in attacks against a select group of organizations across multiple sectors and countries, prompting Microsoft to release urgent security updates on April 8, 2025.

The vulnerability, located in the CLFS kernel driver, allows attackers with standard user privileges to escalate their access to system-level control.

Microsoft has linked the exploitation to the PipeMagic malware, deployed by a threat actor identified as Storm-2460. This group has leveraged the exploit to facilitate ransomware attacks, targeting industries such as IT and real estate in the United States, finance in Venezuela, software in Spain, and retail in Saudi Arabia.

Exploitation Details

Microsoft’s investigation revealed that Storm-2460 employed sophisticated techniques prior to exploiting the vulnerability. In several instances, the attackers used the Windows certutil utility to download a malicious MSBuild file from a compromised third-party website.

This file, once decrypted and executed via the EnumCalendarInfoA API callback, unleashed the PipeMagic malware. Notably, PipeMagic has been previously documented by Kaspersky in October 2024 and linked to another zero-day exploit by ESET in 2023.

Once PipeMagic was deployed, the attackers executed the CLFS exploit in memory via a dllhost.exe process. The exploit leverages a memory corruption technique, using the RtlSetAllBits API to overwrite the process token, granting full privileges.

Interestingly, the exploit relies on the NtQuerySystemInformation API to leak kernel addresses—an approach rendered ineffective on Windows 11, version 24H2, where access to certain system information classes is restricted to users with elevated privileges.

As part of the attack, a CLFS BLF file (C:ProgramDataSkyPDFPDUDrv.blf) is created, serving as a telltale sign of the exploit’s activity.

Post-exploitation, the attackers injected a payload into winlogon.exe, followed by the use of Sysinternals’ procdump.exe to dump the memory of the LSASS process and harvest user credentials.

This paved the way for ransomware deployment, with encrypted files receiving random extensions and a ransom note titled !READ_ME_REXX2!.txt being dropped.

Two .onion domains tied to the RansomEXX ransomware family were identified in the notes, indicating a possible connection to this known threat.

The ransomware, launched via dllhost.exe with a command line such as –do [path_to_ransom], also executed commands to hinder recovery efforts, including disabling recovery options and deleting backups.

Microsoft released patches for CVE-2025-29824, and confirmed that Windows 11, version 24H2 systems are unaffected by the observed exploitation method, even if the vulnerability exists.

The company is urging all customers to apply the updates immediately to mitigate the risk of ransomware attacks, which often exploit such elevation of privilege vulnerabilities to escalate initial access into devastating network-wide incidents.

In addition to patching, Microsoft recommends enabling cloud-delivered protection in Microsoft Defender Antivirus, using device discovery to identify unmanaged systems, and running endpoint detection and response (EDR) in block mode to thwart malicious activity.

Organizations are also encouraged to leverage Microsoft Defender for Endpoint’s automated investigation features and attack surface reduction rules to bolster defenses.

Indicators of Compromise

IndicatorTypeDescriptionC:ProgramDataSkyPDFPDUDrv.blfPathDropped during CLFS exploitC:Windowssystem32dllhost.exe –doCommand lineInjected dllhostbcdedit /set {default} recoveryenabled noCommand lineRansomware commandwbadmin delete catalog -quietCommand lineRansomware commandwevtutil cl ApplicationCommand lineRansomware commandaaaaabbbbbbb.eastus.cloudapp.azure[.]comDomainUsed by PipeMagic

As ransomware groups like Storm-2460 continue to exploit zero-day vulnerabilities, this incident underscores the importance of timely patching and layered security measures to protect against evolving cyber threats.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates

Related Posts

Threat actors are constantly evolving their TTPs and developing new malicious tools to execute their activities. Recently, Akamai researchers have…

The cybersecurity landscape in 2024 has been marked by a significant surge in malware and vulnerabilities.  The Key trends include…

While injection vulnerabilities are on the rise, Webshells have become a serious concern. They allow attackers to gain unauthorized access…