## Vulnerability Description

**Name of the Vulnerable Software and Affected Versions:** Microsoft Windows versions prior to the April 2025 Patch Tuesday update.

**Description:**

A use-after-free vulnerability exists in the Windows Common Log File System (CLFS) Driver. This vulnerability allows an authorized attacker to elevate privileges locally, potentially gaining SYSTEM-level access. The vulnerability (CVE-2025-29824) was actively exploited by multiple threat actors, including the Storm-2460 group and the Play ransomware gang, prior to the release of a patch by Microsoft. Attackers leveraged the vulnerability in conjunction with malware such as PipeMagic and Grixba to deploy ransomware and steal sensitive information. The exploitation involved techniques like DLL hijacking and the use of malicious applications disguised as legitimate software. The vulnerability was exploited in attacks targeting organizations in the US, Venezuela, Spain, and Saudi Arabia.

Approximately 134 vulnerabilities were addressed in the April 2025 Patch Tuesday, including this zero-day flaw.

**Recommendations:**

Apply the April 2025 Patch Tuesday updates to mitigate this vulnerability. Review system logs for any signs of compromise. Harden public-facing infrastructure and deploy endpoint detection and response (EDR) solutions. Be cautious of free ChatGPT desktop applications and verify their source.