Skip to main content
close search
site logo
Dive Brief

Windows CLFS zero-day exploited in ransomware attacks

A threat actor tracked as Storm-2460 has used PipeMagic malware to facilitate the attacks.

Published April 9, 2025
David Jones's headshot
Reporter
Microsoft AI antitrust concerns
A zero-day vulnerability in Windows CLFS is being exploited to deploy ransomware, targeting IT and real estate sectors in the U.S. jeenah Moon via Getty Images

Dive Brief:

  • Attackers are exploiting a zero-day vulnerability in the Windows Common Log File System to deploy ransomware against various targets, including information technology and real estate organizations in the U.S., according to researchers at Microsoft. ‘
  • Researchers who discovered the flaw said the exploit had been deployed via PipeMagic malware. A threat actor tracked as Storm-2460 has used PipeMagic to deploy ransomware, according to researchers. 
  • The flaw, tracked as CVE-2025-29824, is an elevation of privilege vulnerability that allows an attacker running a standing user account to escalate privileges.Microsoft released security updates Tuesday to address the issue.

Dive Insight:

PipeMagic, which functions both as a backdoor and a gateway, was discovered in 2022 by Kaspersky researchers. The malware at that time was used in attacks in Asia and was later found in backdoor attacks in Saudi Arabia, using a fake ChatGPT application as a lure. 

Researchers at ESET also observed in PipeMagic in connection with a zero-day exploit of a Win32 vulnerability, which is tracked as CVE-2025-24983

“Our vulnerability report, including PipeMagic samples, possibly led Microsoft to do further investigation on their own and resulted in their recent discovery of CVE-2025-29824,” Filip Jurcacko, senior malware researcher at ESET, said via email. 

Beyond the attacks on IT and real estate companies in the U.S., the financial sector in Venezuela, the retail sector in Saudi Arabia and a Spanish software firm were all targeted, according to Microsoft researchers. 

Microsoft said it has not determined the initial access vectors for the current attacks but has observed the threat actor downloading the certutil from a legitimate third-party website that was previously compromised to host the malware. 

The exploit targets a vulnerability in the CLFS kernel driver, according to Microsoft researchers. Customers running Windows 11 version 24H2 were not affected by the observed threat activity, even in cases where the vulnerability exists, according to Microsoft.

The Cybersecurity and Infrastructure Security Agency has added CVE-2025-29824 to its known exploited vulnerabilities catalog. 

Editors' picks

Company Announcements

View all | Post a press release
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.