In a recent development, Microsoft has addressed a critical zero-day vulnerability, identified as CVE-2025-29824, which has been actively exploited by a group known as Storm-2460. This vulnerability affects the Windows Common Log File System (CLFS) and has been linked to a series of ransomware attacks targeting organizations across various sectors in the United States, Venezuela, Spain, and Saudi Arabia.
Details of the Exploit
According to Microsoft Threat Intelligence, Storm-2460 has utilized this vulnerability to initiate attacks against a select number of targets, including firms in the IT and real estate sectors in the U.S., a financial institution in Venezuela, a software company in Spain, and a retail business in Saudi Arabia. The exploitation of this software defect allows attackers, even those operating under standard user accounts, to escalate their privileges significantly.
The deployment of the PipeMagic malware has facilitated the exploitation process, which carries a CVSS score of 7.8, indicating a high level of severity. Microsoft researchers emphasized the importance of such elevation of privilege exploits, as they enable attackers to transition from initial access to privileged access, thereby facilitating the widespread deployment of ransomware within compromised environments.
Industry Insights
Mike Walters, co-founder and president of Action1, highlighted the significance of CVE-2025-29824, noting its impact on core Windows components and its potential to affect a broad spectrum of environments, including enterprise systems and critical infrastructure. The ability of attackers to gain the highest privileges on a Windows system allows them to install malware, alter system files, disable security features, and access sensitive data, leading to complete system compromise and lateral movement across networks.
Satnam Narang, a senior staff research engineer at Tenable, pointed out that CLFS vulnerabilities are frequently addressed in Microsoft’s monthly security updates. Since 2022, Microsoft has patched 32 CLFS vulnerabilities, with an average of 10 each year, six of which have been exploited in the wild. Narang noted that elevation of privilege flaws in CLFS have become particularly attractive to ransomware operators over the years.
Patch Overview
This month’s security update marks Microsoft’s fourth monthly release addressing over 100 vulnerabilities in the past year, with 2025 already witnessing two sets of triple-digit defects. Notably, for the first time in years, none of the vulnerabilities have publicly available proof of concept, which may hinder immediate exploitation by malicious actors.
Among the vulnerabilities patched this month, 18 affect Microsoft Office and standalone Office products, all classified as high-severity. Three specific vulnerabilities—CVE-2025-29792, CVE-2025-29793, and CVE-2025-29794—have been designated as “more likely” to be exploited. Additionally, 11 vulnerabilities in total are considered to have a higher likelihood of exploitation, including two high-severity defects that could permit remote code execution in the Remote Desktop Gateway Service.
For a comprehensive list of vulnerabilities addressed in this update, Microsoft has made the details available through its Security Response Center.
