Microsoft’s April 2025 Patch Tuesday rollout includes a critical fix for an actively exploited zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824, which threat actors have used to launch ransomware attacks across multiple sectors.
The vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), which observed exploitation of the flaw in targeted post-compromise intrusions. Microsoft attributes the activity to Storm-2460, a ransomware group known for deploying the PipeMagic malware framework to elevate privileges and execute ransomware payloads within compromised environments.
Ransomware attack details
According to Microsoft’s analysis, attackers initially delivered PipeMagic via a malicious MSBuild file downloaded using certutil from compromised web infrastructure. The malware, decrypted and executed via API abuse (EnumCalendarInfoA), then leveraged the CLFS zero-day to escalate privileges on affected systems.
The flaw resides in how the CLFS driver handles memory operations, specifically allowing manipulation of log file buffers to corrupt memory structures and enable token privilege escalation.
The exploit was executed in memory from a dllhost.exe process and targeted the CLFS.sys kernel driver, allowing attackers to leak kernel addresses using NtQuerySystemInformation, followed by a memory corruption that overwrites the process token via RtlSetAllBits, effectively granting SYSTEM-level privileges.
Once privilege escalation was achieved, attackers injected malware into winlogon.exe, extracting credentials from LSASS using ProcDump and finally executing a ransomware payload. The ransomware encrypted files with random extensions, dropped a ransom note titled !READ_ME_REXX2!.txt, and connected to Tor sites associated with RansomEXX operations.
Microsoft notes that the exploit activity impacted a limited number of targets, including:
- IT and real estate firms in the United States,
- A financial institution in Venezuela,
- A Spanish software company,
- Retail organizations in Saudi Arabia.
It is clarified that devices running Windows 11, version 24H2, are not vulnerable to the exploit due to enhanced security controls restricting the misuse of NtQuerySystemInformation API by non-privileged users.
Broader Windows update scope
The April update addresses 126 CVEs across Windows components, Office, Azure services, and Microsoft Edge. Among those, there are four zero-day vulnerabilities that are under active exploitation or carry a higher risk of exploitation:
- CVE-2025-29812 (Windows Kernel Memory)
- CVE-2025-27727 (Windows Installer)
- CVE-2025-29792 (Microsoft Office)
- CVE-2025-29824 (Windows CLFS)
Microsoft strongly urges organizations to prioritize patching Windows systems, especially if not yet running version 24H2. Additional defensive recommendations include enabling cloud-delivered protection in Microsoft Defender Antivirus, running EDR in block mode to prevent malware even when primary AV does not detect threats, and using attack surface reduction rules in Microsoft Defender for Endpoint to block common post-exploitation techniques.
Admins suspecting a breach are recommended to audit systems for signs of dllhost.exe spawning with abnormal command lines or injecting into winlogon.exe, investigate logs for LSASS memory dumps or commands like ‘bcdedit /set {default} recoveryenabled no.=,’ and monitor for suspicious outbound connections to Tor domains.
Windows users can apply the latest security update via Settings > Update & Security > Windows Update, and click on Check for updates. Windows will automatically download and install available security updates for your Windows 11 build. It’s also possible to manually retrieve the April 8, 2025, cumulative updates (e.g., KB5055528 for Windows 11 23H2/22H2) from the Microsoft Update Catalog.
After the update is finished, a system reboot will be required for the changes to apply.
Note that the latest update causes certain issues with Citrix components, so make sure to check the available workarounds on the release announcement page to ensure a smooth process.
Leave a Reply