Ransomware attacks leverage unfixed Windows CLFS vulnerability
**Breaking News: Widespread Impact of Zero-Day Vulnerability CVE-2025-29824**
A zero-day vulnerability, CVE-2025-29824, has been discovered in the Windows Common Log File System (CLFS), allowing attackers to escalate privileges from a standard user to SYSTEM level. This vulnerability has been exploited by threat actors, including the Storm-2460 group, to deploy ransomware payloads via the PipeMagic malware.
### Exploitation Details The exploit is delivered through the PipeMagic malware, which is used to facilitate the deployment of ransomware payloads. By exploiting this vulnerability, attackers can gain high-level access to systems, significantly enhancing their ability to carry out malicious activities, such as installing ransomware.
### Affected Systems The vulnerability potentially affects any system running vulnerable versions of Windows, though Windows 11, version 24H2, has not been reported to be affected by the observed exploitation.
### Mitigation Microsoft released security updates on April 8, 2025, to address CVE-2025-29824. Users are advised to apply these updates urgently and enable cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus products.
### Threat Actors The Storm-2460 group has been identified as a key actor in exploiting this vulnerability, and other groups like the Play ransomware group have also been reported to be exploiting CVE-2025-29824.
### Targeted Industries Beyond the attacks on IT and real estate companies in the U.S., the financial sector in Venezuela, the retail sector in Saudi Arabia, and a Spanish software firm were also targeted.
### Overall Impact on Ransomware Attacks The exploitation of CVE-2025-29824 highlights the growing use of zero-day vulnerabilities in ransomware attacks, demonstrating the critical need for timely patches and robust security measures to protect against such threats.
It's important to note that this vulnerability is another point of attack in addition to the previously known CVE-2025-24983. Researchers at ESET also observed PipeMagic in connection with a zero-day exploit of a Win32 vulnerability (CVE-2025-24983). The Cybersecurity and Infrastructure Security Agency has added CVE-2025-29824 to its known exploited vulnerabilities catalog.
The CLFS kernel driver vulnerability is the target of the current attacks. Microsoft researchers identified that the current attacks target this vulnerability. The malware used in the attacks was downloaded from a compromised legitimate third-party website. The observed threat actor downloaded the certutil from a legitimate third-party website that had been compromised to host the malware.
PipeMagic malware functions both as a backdoor and a gateway. At the time of its discovery, PipeMagic was used in attacks in Asia. Later, it was found in backdoor attacks in Saudi Arabia, using a fake ChatGPT application as a lure.
Stay vigilant and apply the necessary updates to protect your systems from such threats.
- The PipeMagic malware, used in the exploitation of CVE-2025-29824, serves as a tool for ransomware deployment, escalating attackers' ability to carry out malicious activities.
- Cybersecurity experts have identified the Storm-2460 group as a primary player in exploiting CVE-2025-29824, while other groups like the Play ransomware group have also been implicated.
- The widespread impact of this vulnerability is underscored by its potential to affect any system running vulnerable versions of Windows, though Windows 11, version 24H2, has not been observed to be affected.
- In the realm of cybersecurity and general-news, the exploitation of CVE-2025-29824 represents another alarming instance of zero-day vulnerabilities being leveraged in ransomware attacks, emphasizing the importance of robust security measures and timely patches.
