Microsoft has issued a warning regarding a zero-day vulnerability in Windows that is being exploited by hackers to deploy ransomware.
The flaw, which affects the Windows Common Log File System (CLFS), is part of the latest monthly security update, and Microsoft urges customers to apply the updates immediately.
The vulnerability, tracked as CVE-2025-29824, is being exploited by threat actors to elevate privileges on compromised systems. CLFS is a key component of the operating system that manages logging and event data for both applications and Windows itself. The hackers use this flaw to gain higher-level access to affected systems, allowing them to execute malicious activities like deploying ransomware.
Microsoft reports that this exploit has been used against a limited number of targets, including IT and real estate organizations in the US, and financial, software, and retail companies in other countries. The exploit has a severity score of 7.8 out of 10 and has been deployed by the PipeMagic malware, which is tracked by Microsoft as the Storm-2460 threat actor.
The attack begins when hackers first gain access to a system through other means. In several cases, Storm-2460 used compromised third-party websites to deliver the malware. Once inside, the exploit is used to corrupt memory and overwrite process tokens, granting attackers full privileges. This privilege escalation is crucial for ransomware attackers, as it allows them to expand their access and deploy ransomware widely within the environment.
The patch addressing this vulnerability was released as part of Microsoft's April 2025 Patch Tuesday updates, which also fixed 126 other vulnerabilities. Microsoft emphasizes that organizations should prioritize applying updates for privilege escalation vulnerabilities as a critical defense against ransomware attacks, especially if attackers have already gained initial access to their systems.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
