Cybercriminals are exploiting a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) to deploy ransomware, according to a report by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
The vulnerability, tracked as CVE-2025-29824, is a “use-after-free” bug in the CLFS driver that allows attackers to gain higher system privileges after already compromising a computer system. This post-compromise escalation vulnerability has been given a high severity score of 7.8 out of 10. The exploitation of this flaw enables threat actors to elevate their privileges locally, which is particularly valuable for ransomware operators as it allows them to spread ransomware more effectively within an organization’s environment.
Microsoft notes that ransomware threat actors value post-compromise elevation of privilege exploits because these enable them to escalate initial access into privileged access. They then use this privileged access for the widespread deployment and detonation of ransomware within an environment. The vulnerability is being actively exploited by a cybercriminal group identified as Storm-2460.
Storm-2460 is using the vulnerability to deploy PipeMagic, a backdoor trojan that facilitates the subsequent deployment of ransomware. In the observed attacks, the ransomware deployed is RansomEXX, a variant that is not particularly popular or well-known. The attacks have targeted a small number of organizations, primarily in the IT, finance, and retail sectors, across the United States, Venezuela, Spain, and Saudi Arabia.
Microsoft publicly disclosed the security advisory regarding this vulnerability on April 8. The company strongly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold. The exploitation of this vulnerability follows a pattern where ransomware groups value any method that helps escalate their access from initial infection to deeper, more privileged system control, making defenses against such exploits critical.
