A critical zero-day vulnerability in the Windows Common Log File System (CLFS) has been uncovered and is being actively exploited by a ransomware group, according to a recent report from the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC). Tracked as CVE-2025-29824, this elevation of privilege flaw has been targeted in attacks against a select group of organizations across multiple sectors and countries, prompting Microsoft to release urgent security updates on April 8, 2025. As ransomware groups like Storm-2460 continue to exploit zero-day vulnerabilities, this incident underscores the importance of timely patching and layered security measures to protect against evolving cyber threats. The company is urging all customers to apply the updates immediately to mitigate the risk of ransomware attacks, which often exploit such elevation of privilege vulnerabilities to escalate initial access into devastating network-wide incidents. Interestingly, the exploit relies on the NtQuerySystemInformation API to leak kernel addresses—an approach rendered ineffective on Windows 11, version 24H2, where access to certain system information classes is restricted to users with elevated privileges. In addition to patching, Microsoft recommends enabling cloud-delivered protection in Microsoft Defender Antivirus, using device discovery to identify unmanaged systems, and running endpoint detection and response (EDR) in block mode to thwart malicious activity. This group has leveraged the exploit to facilitate ransomware attacks, targeting industries such as IT and real estate in the United States, finance in Venezuela, software in Spain, and retail in Saudi Arabia. Microsoft released patches for CVE-2025-29824, and confirmed that Windows 11, version 24H2 systems are unaffected by the observed exploitation method, even if the vulnerability exists.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 20:20:12 +0000