Exploitation of CLFS zero-day leads to ransomware activity

SUMMARY :

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege escalation and ransomware deployment. The vulnerability, CVE-2025-29824, was patched on April 8, 2025. The attack involves downloading malicious MSBuild files, using PipeMagic, and exploiting CLFS to inject payloads into system processes. Post-exploitation activities include credential theft and ransomware deployment, with similarities to RansomEXX. Microsoft recommends immediate patching and provides mitigation strategies, detection methods, and hunting queries to counter this threat.

OPENCTI LABELS :

ransomware,windows,zero-day,privilege escalation,ransomexx,clfs,pipemagic,cve-2025-29824,cve-2025-24983


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Exploitation of CLFS zero-day leads to ransomware activity