Do Son 
Microsoft has reported that the ransomware group RansomEXX is actively exploiting a critical zero-day vulnerability in the Windows Common Log File System (CLFS), enabling attackers to escalate privileges to SYSTEM level on compromised devices.
The vulnerability, identified as CVE-2025-29824, was addressed during April’s Patch Tuesday rollout, though it had already been weaponized in a limited number of attacks.
The flaw is classified as a use-after-free vulnerability, which allows a local attacker with minimal privileges to escalate to system-level access without requiring user interaction. While patches have been released for most supported Windows versions, updates for Windows 10 x64 and 32-bit systems remain pending and are expected to be delivered at a later date.
According to Microsoft, the victims include organizations in the United States (notably within the IT and real estate sectors), financial institutions in Venezuela, a Spanish software company, and retail businesses in Saudi Arabia.
The company further clarified that systems running Windows 11 version 24H2 are not susceptible to these attacks, despite containing the vulnerable component. Microsoft strongly urges users to apply the security updates without delay.
The attacks have been attributed to the RansomEXX group, also known as Storm-2460. The threat actors initially deployed the PipeMagic backdoor, through which they delivered the CVE-2025-29824 exploit, ransomware payloads, and ransom notes titled !_READ_ME_REXX2_!.txt following file encryption.
Originally discovered in 2022, PipeMagic is capable of harvesting sensitive information, granting full remote access to infected machines, and facilitating lateral movement of malware within the compromised network.
In 2023, researchers from Kaspersky Lab encountered PipeMagic during an investigation into attacks involving the Nokoyawa ransomware. At the time, the adversaries exploited another CLFS zero-day vulnerability—CVE-2023-28252—to escalate privileges.
