Microsoft has uncovered a sophisticated ransomware campaign exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824.
The vulnerability allows attackers to escalate privileges from a standard user account to SYSTEM level, enabling widespread deployment of ransomware within compromised environments.
Exploitation Details
The exploit, deployed by the threat actor known as Storm-2460, uses the PipeMagic malware to gain initial access.
.png
)
This malware, previously documented by Kaspersky in October 2024, was used in conjunction with a zero-day exploit for a Win32k vulnerability (CVE-2025-24983) observed by ESET in 2023.
The attackers leverage the certutil utility to download a malicious MSBuild file from a compromised legitimate third-party website, which then decrypts and executes PipeMagic via the EnumCalendarInfoA API callback.
Once PipeMagic is deployed, the attackers launch the CLFS exploit in memory from a dllhost.exe process.
The exploit targets a vulnerability in the CLFS kernel driver, using the NtQuerySystemInformation API to leak kernel addresses to user mode.
However, this exploit does not work on Windows 11, version 24H2, due to restricted access to certain System Information Classes.
The exploit then employs memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token, granting all privileges and allowing for process injection into SYSTEM processes.
A notable artifact of this exploitation is the creation of a CLFS BLF file at C:\ProgramData\SkyPDF\PDUDrv.blf.
Ransomware Deployment
Following successful exploitation, the attackers inject a payload into winlogon.exe, which then uses Sysinternals procdump.exe to dump the memory of LSASS, extracting user credentials.
This leads to the deployment of ransomware, encrypting files and appending a random extension.
A ransom note named !READ_ME_REXX2!.txt is dropped, containing two .onion domains linked to the RansomEXX ransomware family.
Microsoft released security updates to address CVE-2025-29824. Customers running Windows 11, version 24H2, are not affected by this exploit.
Microsoft recommends applying these updates promptly and implementing several mitigation strategies:
- Enable cloud-delivered protection in Microsoft Defender Antivirus or equivalent products to cover rapidly evolving attacker tools.
- Use device discovery to identify and onboard unmanaged devices to Microsoft Defender for Endpoint.
- Run Endpoint Detection and Response (EDR) in block mode to remediate malicious artifacts post-breach.
- Enable investigation and remediation in full automated mode to reduce alert volume and deploy missed updates.
This campaign underscores the importance of timely patching and robust security measures to defend against sophisticated ransomware attacks leveraging zero-day vulnerabilities.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
