SPOTREP: Exploitation of Windows CLFS Zero-Day Vulnerability (CVE-2025-29824)

Vulnerability Details:

• Zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS)

• Tracked as CVE-2025-29824

• Allows escalation from standard user to SYSTEM privileges

Exploitation Details:

• Post-compromise exploitation observed against a small number of targets

• Exploit delivered via PipeMagic malware

• Used to deploy ransomware payloads

Affected Systems/Targets:

• Known targets include: IT and real estate sectors in the United States Financial sector in Venezuela A Spanish software company Retail sector in Saudi Arabia

• Potentially affects any system running vulnerable versions of Windows

• Note: Windows 11, version 24H2 is not affected by the observed exploitation

Threat Actor Information:

• Exploitation attributed to Storm-2460

• Storm-2460 has used PipeMagic to deploy ransomware

• Ransomware actors value such exploits for escalating initial access to privileged access

Mitigation and Recommendations:

• Microsoft released security updates on April 8, 2025, to address CVE-2025-29824

• Urgently apply these updates to all affected systems

• Enable cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus products

• Refer to the Microsoft Security Blog for detailed analysis, indicators of compromise, and additional recommendations

Discover more articles, reports, SPOTREPs, and Executive summaries in the Blog section of our website.