CVE-2025-29824

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to April 2025 Patch Tuesday

Description A use-after-free vulnerability exists in the Windows Common Log File System (CLFS) driver. Successful exploitation of this vulnerability allows an authorized attacker to elevate privileges to the SYSTEM level. This vulnerability (CVE-2025-29824) has been actively exploited by multiple threat actors, including the Play ransomware group and the Storm-2460 group, who have used it in conjunction with the PipeMagic malware. Attackers have leveraged this vulnerability to gain initial access, deploy information stealers, and achieve lateral movement within compromised networks. The exploitation has been observed across various sectors, including IT, finance, real estate, and government, in countries such as the United States, Venezuela, Saudi Arabia, and Brazil. The PipeMagic malware has been observed disguising itself as legitimate software, such as a ChatGPT desktop application, to evade detection.

Recommendations Apply the April 2025 Patch Tuesday updates to address this vulnerability.