Addressed Windows CLFS zero-day exploited in ransomware intrusions

U.S. real estate and IT firms, Venezuelan financial organizations, and Saudi Arabian retail companies, as well as Spanish software provider have been subjected to Storm-0460 ransomware attacks exploiting the Windows Common Log File System Driver vulnerability, tracked as CVE-2025-29824, which Microsoft fixed as part of this month's Patch Tuesday, reports The Record, a news site by cybersecurity firm Recorded Future.

After obtaining initial access to targeted systems, Storm-2460 installed the PipeMagic malware to launch the exploit which could facilitate privilege escalation and the ransomware payload, according to a report from Microsoft, which also observed the attack campaign's ransom notes to resemble those of the RansomEXX ransomware gang. With abuse of the flaw potentially enabling elevated privileges, persistence, and lateral network movement, Microsoft's failure to provide a fix for Windows 10 systems is glaring, said Immersive Lead Cybersecurity Engineer Ben McCarthy, who urged organizations using such systems to leverage endpoint detection and response or extended detection or response tools to track the CLFS driver.