{"id":714,"date":"2025-04-09T18:40:46","date_gmt":"2025-04-09T18:40:46","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4301530"},"modified":"2025-04-09T18:40:46","modified_gmt":"2025-04-09T18:40:46","slug":"microsoft-windows-clfs-vulnerability-could-lead-to-widespread-deployment-and-detonation-of-ransomware","status":"publish","type":"post","link":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/04\/09\/microsoft-windows-clfs-vulnerability-could-lead-to-widespread-deployment-and-detonation-of-ransomware\/","title":{"rendered":"Microsoft: Windows CLFS Vulnerability Could Lead to \u2018Widespread Deployment and Detonation of Ransomware\u2019"},"content":{"rendered":"
\"Flat
Image: nicescene\/Adobe Stock<\/figcaption><\/figure>\n

Microsoft has detected a zero-day vulnerability in the Windows Common Log File System (CLFS) being exploited in the wild to deploy ransomware. Target industries include IT, real estate, finance, software, and retail, with companies based in the US, Spain, Venezuela, and Saudi Arabia.<\/p>\n

The vulnerability, tracked as CVE-2025-29824 and rated \u201cimportant,\u201d is present in the CLFS kernel driver. It allows an attacker who already has standard user access to a system to escalate their local privileges. The individual can then use their privileged access for \u201cwidespread deployment and detonation of ransomware within an environment,\u201d according to a blog post by the Microsoft Threat Intelligence Center<\/a>.<\/p>\n

The CFLS driver is a key element of Windows used to write transaction logs, and its misuse could let an attacker gain SYSTEM privileges. From there, they could steal data or install backdoors. Microsoft often uncovers privilege escalation flaws in CFLS, the last one being patched in December<\/a>.<\/p>\n

In instances of CVE-2025-29824 exploitation observed by Microsoft, the so-called \u201cPipeMagic\u201d malware was deployed before the attackers could exploit the vulnerability to escalate their privileges. PipeMagic gives attackers remote control over a system and lets them run commands or install more malicious tools.<\/p>\n

SEE: TechRepublic Exclusive: New Ransomware Attacks are Getting More Personal<\/a> as Hackers \u2018Apply Psychological Pressure\u2019<\/strong><\/p>\n

<\/span>Who is behind the exploitation?<\/span><\/h2>\n

Microsoft has identified Storm-2460 as the threat actor exploiting this vulnerability with PipeMagic and ransomware, linking it to the RansomEXX group.<\/p>\n

Once known as Defray777, the attackers came onto the scene in 2018. They have since targeted high-profile organisations such as the Texas Department of Transportation, the Brazilian government, and Taiwanese hardware manufacturer GIGABYTE. The group has been linked to Russian nationals<\/a>.<\/p>\n

The US\u2019s cyber agency has added the 7.8-rated vulnerability to its Known Exploited Vulnerabilities list<\/a>, meaning that federal civilian agencies are required to apply the patch by April 29.<\/p>\n

<\/span>Windows 10, Windows 11, and Windows Server are vulnerable<\/span><\/h2>\n

On April 8, security updates were released to patch the vulnerability in Windows 11, Windows Server 2022, and Windows Server 2019. Windows 10 x64-based and 32-bit systems are still awaiting fixes, but Redmond says they will be released \u201cas soon as possible<\/a>,\u201d and \u201ccustomers will be notified via a revision to this CVE information\u201d as soon as they are.<\/p>\n

Devices running Windows 11 version 24H2 or newer cannot be exploited this way, even if the vulnerability exists. Access to the required system information is restricted to users with the \u201cSeDebugPrivilege\u201d permission, a level of access typically unavailable to standard users.<\/p>\n