Microsoft has identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824, that has been exploited by the PipeMagic malware, targeting sectors in the U.S., Venezuela, Spain, and Saudi Arabia. The company released security updates to mitigate this issue. Affected: IT sector, real estate sector, financial sector, software sector, retail sector
Keypoints :
- Microsoft discovered a zero-day vulnerability in the Common Log File System (CLFS) with the identifier CVE-2025-29824.
- The vulnerability allows standard user accounts to escalate privileges.
- Exploit activity has been linked to the PipeMagic malware and the threat actor group Storm-2460.
- The exploit is launched from a dllhost.exe process after PipeMagic deployment.
- The CLFS exploit creates a BLF file at C:ProgramDataSkyPDFPDUDrv.blf.
- Successful exploitation can lead to ransomware deployment with a ransom note named !_READ_ME_REXX2_!.txt.
- Microsoft recommends applying security updates and implementing various defense mechanisms to mitigate related threats.
MITRE Techniques :
- TA0002: Execution – PipeMagic malware executed using the EnumCalendarInfoA API.
- TA0003: Persistence – Utilized malicious MSBuild files from a compromised third-party site.
- TA0006: Credential Access – Extracted user credentials by dumping memory of LSASS.
- TA0040: Impact – Launched ransomware attack using DLL injection and file encryption.
Indicator of Compromise :
- [Filename] C:ProgramDataSkyPDFPDUDrv.blf
- [Command Line] C:Windowssystem32dllhost.exe –do
- [Command Line] bcdedit /set {default} recoveryenabled no
- [Command Line] wbadmin delete catalog -quiet
- [Domain] aaaaabbbbbbb.eastus.cloudapp.azure[.]com
Views: 40