Intelligence
criticalVulnerabilityActive

Microsoft April Patch Tuesday: Windows CLFS Zero-Day Exploited by Ransomware

Microsoft's April 2025 Patch Tuesday addresses a Windows Common Log File System zero-day being actively exploited by the RansomEXX ransomware group for privilege escalation.

S
Sebastion

CVE References

CVE-2025-29824

Affected

Windows 10Windows 11Windows Server 2016-2025

What happened: Microsoft released April 2025 security updates patching approximately 134 vulnerabilities, including a zero-day in the Windows Common Log File System (CLFS) driver that was being actively exploited by the RansomEXX (also known as Storm-2460) ransomware group. The CLFS vulnerability allows attackers to escalate from a standard user to SYSTEM-level privileges.

Technical details: CVE-2025-29824 is a use-after-free vulnerability in the CLFS kernel driver that enables local privilege escalation to SYSTEM. Microsoft's Threat Intelligence team observed the RansomEXX group using it as part of their attack chain following initial access through other means. CLFS has been a recurring source of privilege escalation zero-days, with this being the sixth CLFS zero-day exploited since 2022. The vulnerability was used in targeted attacks against organizations in the IT and real estate sectors in the United States, as well as targets in other countries.

Who is affected: All supported Windows versions including Windows 10, Windows 11, and Windows Server 2016 through 2025. Organizations in sectors already targeted by RansomEXX, including IT services, finance, and real estate, are at elevated risk. Note that the Windows 10 patch was not immediately available and was released later.

What defenders should do: Apply the April 2025 security updates as quickly as possible. For Windows 10 systems where the patch was delayed, implement compensating controls such as enhanced monitoring of CLFS-related system calls and restricting local user rights. Monitor for RansomEXX indicators of compromise including PipeMagic backdoor and specific Cobalt Strike profiles.

Broader implications: The repeated exploitation of CLFS driver vulnerabilities by ransomware operators highlights a systemic weakness in a core Windows component. The privilege escalation from standard user to SYSTEM is a critical capability that makes ransomware deployment more effective, and the continued discovery of exploitable flaws in CLFS suggests the driver may benefit from comprehensive security architecture review.

Sources

microsoftpatch_tuesdayclfsransomwareransomexxzero-day
Back to intelligence