Full Report
Microsoft said Storm-2460 has exploited the zero-day in the Windows Common Log File System to attack organizations in the U.S., Venezuela, Spain and Saudi Arabia. The post Microsoft patches zero-day actively exploited in string of ransomware attacks appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Windows CLFS Zero-Day Exploited for Ransomware
## CVE Details
- CVE ID: CVE-2025-29824
- CVSS Score: 7.8 (High)
- CWE: Not explicitly stated, but implied Local Privilege Escalation.
## Affected Systems
- Products: Windows (Specific product lines not detailed, but confirmed to affect the Windows Common Log File System - CLFS)
- Versions: All affected versions covered by Microsoft's April 2025 security update.
- Configurations: Any system running vulnerable Windows OS versions where the flaw exists in the CLFS component.
## Vulnerability Description
This is a zero-day vulnerability residing in the Windows Common Log File System (CLFS). Successful exploitation allows a local attacker running with standard user privileges to escalate their privileges to the highest level on the Windows system. This elevation of privilege is crucial for ransomware operators, enabling them to move from initial low-level access to the necessary heightened access required for widespread ransomware deployment and execution.
## Exploitation
- Status: Actively exploited in the wild by threat actor Storm-2460.
- Complexity: Assumed Medium/Low, as it is being leveraged by ransomware actors against targets.
- Attack Vector: Local (Requires initial access to run a standard user account). Exploitation was observed using the PipeMagic malware.
## Impact
- Confidentiality: High (Full system compromise allows access to sensitive data).
- Integrity: High (Allows modification of system files and registry settings, deployment of malware).
- Availability: High (Leads to system compromise and ransomware detonation).
## Remediation
### Patches
- Microsoft’s April 2025 Security Update addressing CVE-2025-29824. (Specific patched version numbers were not detailed in the summary source).
### Workarounds
- No specific workarounds were detailed in the provided summary text, outside of general mitigation practices following successful patching.
## Detection
- Indicators of Compromise (IOCs): Presence of PipeMagic malware associated with privilege escalation attempts.
- Detection methods and tools: Monitoring for anomalous privilege escalation activities originating from standard user accounts leveraging the CLFS component. Given the exploit's use by Storm-2460, endpoint detection and response (EDR) systems tracking this group's TTPs should be employed.
## References
- Vendor Advisory: [msrc.microsoft.com/update-guide/releaseNote/2025-Apr] (Defanged)
- Microsoft Research Note: [www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/] (Defanged)