Ethical Hacking News
A critical zero-day vulnerability in the Windows Common Log File System (CLFS) has been exploited by a ransomware gang, allowing them to gain SYSTEM privileges on compromised systems. Microsoft has issued security updates for impacted versions and urges customers to apply them as soon as possible to mitigate the risk of exploitation.
Microsoft has identified a critical zero-day vulnerability in Windows CLFS (CVE-2025-29824) that has been exploited by a ransomware gang.The vulnerability allows local attackers with low privileges to gain SYSTEM privileges, making it highly exploitable.Affecting organizations in the IT, real estate, financial, software, and retail sectors.RansomEXX ransomware operation linked to the attacks, known for targeting high-profile organizations.PipeMagic backdoor malware used as a vector for exploitation and lateral movement through victims' networks.Customers are urged to apply patches as soon as possible to mitigate the risk of exploitation.
Microsoft has sounded the alarm on a critical zero-day vulnerability in the Windows Common Log File System (CLFS), which has been exploited by a ransomware gang to gain SYSTEM privileges on compromised systems. According to Sergiu Gatlan, a news reporter who has covered the latest cybersecurity and technology developments for over a decade, the vulnerability, tracked as CVE-2025-29824, was patched during this month's Patch Tuesday.
The vulnerability in question is due to a use-after-free weakness that allows local attackers with low privileges to gain SYSTEM privileges in low-complexity attacks that don't require user interaction. This makes it a highly exploitable vulnerability for ransomware gangs and other malicious actors looking to gain unauthorized access to systems.
Microsoft has issued security updates for impacted Windows versions, but there is a delay in releasing patches for Windows 10 x64 and 32-bit systems, with the company stating that they will be released as soon as possible. The affected targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.
The ransomware gang behind the attacks has been linked to the RansomEXX ransomware operation, which is believed to have started as Defray in 2018 but was rebranded to RansomEXX and became much more active starting June 2020. The RansomEXX gang has also targeted high-profile organizations, including computer hardware giant GIGABYTE, Konica Minolta, the Texas Department of Transportation (TxDOT), Brazil's court system, Montreal's STM public transport system, and government software provider Tyler Technologies.
The attackers first installed the PipeMagic backdoor malware on compromised systems, which was used to deploy the CVE-2025-29824 exploit, ransomware payloads, and a read-me note after encrypting files. This is not an isolated incident; the RansomEXX gang has also been using PipeMagic to deploy exploits targeting a Windows Win32 Kernel Subsystem zero-day (CVE-2025-24983) since March 2023.
PipeMagic is a highly versatile backdoor malware that can harvest sensitive data, provides full remote access to infected devices, and enables attackers to deploy additional malicious payloads to move laterally through victims' networks. This malware was discovered by Kaspersky in 2022 while investigating Nokoyawa ransomware attacks.
The RansomEXX operation has gained notoriety for its brazen tactics, including targeting high-profile organizations and using a variety of exploits and backdoors to gain access to systems. The fact that this vulnerability was exploited in a limited number of attacks is concerning, as it highlights the potential risks associated with critical zero-day vulnerabilities.
Microsoft urges customers to apply these updates as soon as possible to mitigate the risk of exploitation by this ransomware gang. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present.
In conclusion, this critical zero-day vulnerability in the Windows CLFS has been exploited by a ransomware gang to gain unauthorized access to systems. Microsoft's prompt response and issuance of security updates for impacted versions highlight the company's commitment to protecting its customers from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Warns-of-Critical-Windows-CLFS-Zero-Day-Exploitation-by-Ransomware-Gang-ehn.shtml
Published: Tue Apr 8 14:51:07 2025 by llama3.2 3B Q4_K_M
