Microsoft has revealed that a security flaw in the Windows Common Log File System (CLFS) was exploited to launch targeted ransomware attacks. The vulnerability, CVE-2025-29824, is a privilege escalation bug that could be used to achieve SYSTEM privileges.
The attackers targeted organizations in various sectors, including information technology, real estate, finance, and retail. They used a malware named PipeMagic, which delivered the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is not known, but the threat actors have been observed using legitimate third-party sites to download malware.
PipeMagic is a plugin-based trojan that has been detected in the wild since 2022. It was previously linked to Nokoyawa ransomware attacks and CVE-2023-28252 CLFS zero-day flaw. The attackers used an MSBuild script to launch PipeMagic, which then extracted user credentials and encrypted files.
Microsoft is tracking the activity and has fixed the vulnerability as part of its Patch Tuesday update for April 2025. Windows 11, version 24H2, is not affected by this specific exploitation due to restrictions on accessing certain System Information Classes within NtQuerySystemInformation.
The attackers value post-compromise elevation of privilege exploits because they can escalate initial access and deploy ransomware widely within an environment. Microsoft is working to mitigate the threat and educate users about the importance of keeping their systems up-to-date with the latest security patches.
Source: https://thehackernews.com/2025/04/pipemagic-trojan-exploits-windows-clfs.html