Microsoft did not provide more information on the hackers behind the campaign, only referring to the threat actors as “Storm-2460.” CVE-2025-29824 was the only Patch Tuesday bug from Microsoft added to the Cybersecurity and Infrastructure Security Agency’s catalog of exploited vulnerabilities on Tuesday. Microsoft published a blog post on Tuesday about the bug alongside its larger Patch Tuesday release, detailing how hackers exploited the vulnerability and used a strain of malware called PipeMagic before deploying ransomware on victims. Microsoft researchers and several other cybersecurity experts said CVE-2025-29824 was concerning because it allows hackers to elevate their privileges and access in a system that has already been broken into. Immersive’s McCarthy noted that while Microsoft has confirmed the bug is being actively exploited, they have not released a specific patch for Windows 10 32-bit or 64-bit systems. The zero-day vulnerability, tagged as CVE-2025-29824, impacts Windows Common Log File System Driver (CLFS) – a frequent target of ransomware gangs. CLFS is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. Microsoft released a security update for CVE-2025-29824 on Tuesday. In the attacks tracked by Microsoft, the incident responders were unable to figure out how the hackers gained their initial access. Microsoft was not able to obtain samples of the ransomware for analysis but found two clues in the ransom notes that were previously tied to the RansomEXX ransomware family.
This Cyber News was published on therecord.media. Publication date: Tue, 08 Apr 2025 20:45:22 +0000