CVE-2025-29824 # Windows Common Log File System (CLFS) zero-day vulnerability Exploited .

Microsoft Threat Intelligence has disclosed active exploitation of a zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824. The exploit, used in the wild, enabled attackers to escalate privileges on compromised machines and deliver ransomware payloads.
The exploitation activity has been attributed to Storm-2460, a financially motivated threat actor group also linked to the PipeMagic backdoor and RansomEXX ransomware operations.
The attacks targeted a small number of organizations across various sectors, including:
Information technology (IT) and real estate in the United States
The financial sector in VenezuelaA software company in SpainThe retail sector in Saudi Arabia

The vulnerability, tracked as CVE-2025-29824, is located in the Common Log File System (CLFS) kernel driver. Successful exploitation of this zero-day flaw allows an attacker with a standard user account to escalate their privileges. Microsoft released security updates on April 8, 2025, to address this vulnerability.
Microsoft’s investigation revealed that the CLFS zero-day exploit was deployed by PipeMagic malware. The exploitation activity is attributed to Storm-2460, a threat actor also known to use PipeMagic to deliver ransomware.
The Microsoft report emphasizes the value of elevation of privilege exploits to ransomware actors, stating: “Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access.” This escalated access allows the attackers to achieve “widespread deployment and detonation of ransomware within an environment.”
Following successful exploitation, the attackers injected a payload into winlogon.exe. This payload, in turn, injected the Sysinternals procdump.exe tool to dump the memory of the LSASS process and obtain user credentials.
The report states that “Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a ransom note with the name !READ_ME_REXX2!.txt was dropped.”
Microsoft strongly advises organizations to “prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.”
Specifically, customers are urged to apply the security updates released on April 8, 2025, to address CVE-2025-29824 as soon as possible. Notably, “Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present.”