A second ransomware group has exploited the Windows zero-day vulnerability CVE-2025-29824 before Microsoft released a patch, highlighting the persistent threat of zero-day exploits in the cybersecurity landscape.
CVE-2025-29824 is a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. This flaw allows attackers to gain elevated privileges on affected systems, enabling them to execute arbitrary code with system-level access. Microsoft addressed this vulnerability in its April 2025 Patch Tuesday updates.Symantec Enterprise Blogs
Microsoft reported that a threat actor tracked as Storm-2460 exploited CVE-2025-29824 using a malware loader known as PipeMagic. This group targeted organizations across various sectors, including IT and real estate in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. The attacks involved deploying ransomware after gaining elevated privileges through the CLFS vulnerability. Cybersecurity Dive+1Logpoint+1CyberScoop+1Microsoft+1
Symantec’s threat intelligence unit uncovered that another group, known as Balloonfly, also exploited CVE-2025-29824 prior to the patch. In an attack on a U.S. organization, Balloonfly deployed Grixba, an infostealer linked to Play ransomware operations. Notably, no ransomware was activated during this incident.
The exploitation involves interacting with the CLFS driver through specific API calls, leading to a race condition that allows for privilege escalation. Attackers perform simultaneous operations on a file handle, causing the CLFS driver to deallocate memory structures improperly. This deallocation results in a use-after-free condition, enabling attackers to execute arbitrary code with elevated privileges. Microsoft+4Microsoft+4Symantec Enterprise Blogs+4Symantec Enterprise Blogs
The exploitation of CVE-2025-29824 by multiple threat actors underscores the critical need for timely patch management and robust security practices. Organizations are advised to apply the latest security updates promptly and monitor systems for unusual activity. Implementing the principle of least privilege and employing advanced threat detection solutions can further mitigate the risk of such exploits.
