**Name of the Vulnerable Software and Affected Versions:**

Microsoft Windows versions prior to the April 2025 security update.

**Description:**

A use-after-free vulnerability exists in the Windows Common Log File System (CLFS) Driver. This vulnerability allows an authorized attacker to elevate privileges locally, potentially gaining SYSTEM-level access. The vulnerability, tracked as CVE-2025-29824, was actively exploited in targeted attacks by the Storm-2460 threat actor, utilizing the PipeMagic malware and, in some cases, the Play and RansomExx ransomware families. Attackers leveraged various techniques, including the use of malicious MSI files, compromised Cisco Adaptive Security Appliances, and the exploitation of a zero-day flaw. The exploitation of this vulnerability allowed attackers to deploy malware, steal information, and gain control over compromised systems. Approximately an estimated number of organizations in the US, Venezuela, Spain, and Saudi Arabia were affected.

**Recommendations:**

Apply the April 2025 security update to mitigate this vulnerability. Monitor systems for suspicious activity, including unexpected process creation, LSASS access, and network connections. Be cautious of files from untrusted sources and ensure robust endpoint detection and response (EDR) capabilities are in place. Restrict access to potentially vulnerable modules and parameters where possible.