Microsoft has reported that the notorious RansomEXX ransomware gang has been exploiting a critical zero-day vulnerability in the Windows Common Log File System, allowing them to gain SYSTEM privileges on targeted systems. This vulnerability, identified as CVE-2025-29824, was addressed during this month’s Patch Tuesday, although its exploitation has been limited to a small number of attacks.
Details of the Vulnerability
CVE-2025-29824 stems from a use-after-free flaw, enabling local attackers with minimal privileges to escalate their access without requiring user interaction. While Microsoft has rolled out security updates for affected Windows versions, it has postponed patches for Windows 10 x64 and 32-bit systems, promising their release at the earliest opportunity.
The affected organizations span various sectors, including:
- Information Technology (IT) and real estate in the United States
- Financial institutions in Venezuela
- A Spanish software company
- The retail sector in Saudi Arabia
Importantly, Microsoft has confirmed that customers running Windows 11, version 24H2, are not vulnerable to the observed exploitation, even if the flaw exists. The company strongly encourages users to apply the latest updates promptly.
Microsoft attributes these attacks to the RansomEXX group, which it designates as Storm-2460. The attackers initially deploy the PipeMagic backdoor malware on compromised systems, facilitating the use of the CVE-2025-29824 exploit, alongside ransomware payloads and ransom notes labeled !READMEREXX2!.txt after encrypting files.
As noted by ESET last month, PipeMagic has also been utilized to execute exploits targeting another Windows zero-day vulnerability in the Win32 Kernel Subsystem, tracked as CVE-2025-24983, since March 2023. Originally discovered by Kaspersky in 2022, this malware is capable of harvesting sensitive information, granting full remote access to infected devices, and enabling attackers to deploy additional malicious payloads for lateral movement within victims’ networks.
Kaspersky first identified this backdoor while investigating Nokoyawa ransomware attacks, which exploited a different Windows Common Log File System Driver zero-day vulnerability, a privilege escalation flaw known as CVE-2023-28252.
The RansomEXX operation, which began as Defray in 2018, underwent a rebranding in 2020 and has since ramped up its activities significantly. This ransomware group has targeted numerous high-profile organizations, including:
- GIGABYTE, a leading computer hardware manufacturer
- Konica Minolta
- The Texas Department of Transportation (TxDOT)
- Brazil’s court system
- Montreal’s STM public transport system
- Government software provider Tyler Technologies
