Microsoft disclosed the exploitation of a security vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824, in recent ransomware attacks. The vulnerability allowed attackers to escalate privileges and gain SYSTEM-level access to targeted systems. These attacks were aimed at a limited number of organizations, including those in IT, real estate, finance, and retail sectors in the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft patched the flaw during the April 2025 Patch Tuesday update but also delayed the release for certain Windows 10 versions.
The exploitation of CVE-2025-29824 was tied to the RansomEXX ransomware gang, tracked by Microsoft as Storm-2460. The attackers leveraged the PipeMagic malware, a malicious MSBuild file, to deploy the exploit and infect systems. Once access was gained, the attackers used their elevated privileges to deploy ransomware payloads and encrypt files.
The exploitation of this flaw allowed for the dumping of user credentials from the LSASS process, further aiding the attackers in their mission.
PipeMagic has been previously linked to other zero-day flaws in the Windows CLFS, including CVE-2023-28252 and CVE-2025-24983. This malware, which provides full remote access to infected systems, has been observed in multiple attacks, including those involving Nokoyawa ransomware. In these cases, it was used to install additional malicious payloads and enable lateral movement within compromised networks.
Microsoft revealed that, although the exact attack vector is unknown, certutil was observed being used to download the malware from a compromised third-party site.
Importantly, Windows 11 version 24H2 is not affected by this specific exploit due to enhanced access restrictions. Microsoft urges users to apply the security updates as soon as possible to mitigate the risks posed by this zero-day vulnerability. Despite not being able to analyze a sample of the ransomware, Microsoft noted that the ransom note found after encryption contained a TOR domain tied to the RansomEXX group. The exploitation of low-complexity flaws like CVE-2025-29824 highlights the growing risks of privilege escalation in modern ransomware attacks.
