The notorious RansomEXX ransomware group has been actively exploiting a critical zero-day vulnerability in the Windows Common Log File System (CLFS) to escalate privileges on compromised systems. This vulnerability, identified as CVE-2025-29824, allows attackers to gain SYSTEM-level access through low-complexity attacks that do not require user interaction. Microsoft addressed this flaw in the latest Patch Tuesday update, although patches for Windows 10 x64 and 32-bit systems are still pending.

Understanding CVE-2025-29824

The CVE-2025-29824 vulnerability arises from a use-after-free condition in the Windows CLFS. This flaw enables local attackers with minimal privileges to elevate their access rights to SYSTEM privileges. Although the vulnerability has been patched, it was exploited in a limited number of attacks before the fix was released.

Targeted Sectors and Impact

The RansomEXX group has primarily targeted organizations across various sectors, including IT and real estate in the United States, the financial sector in Venezuela, a Spanish software company, and the retail industry in Saudi Arabia. Notably, systems running Windows 11, version 24H2, are not affected by the exploitation of this vulnerability.

  • IT and Real Estate: Organizations in the U.S. have been primary targets.
  • Financial Sector: Venezuelan financial institutions have faced attacks.
  • Software and Retail: Spanish software companies and Saudi Arabian retailers have also been impacted.

RansomEXX Attack Methodology

Microsoft has attributed these attacks to the RansomEXX group, tracked as Storm-2460. The attackers initially deploy the PipeMagic backdoor malware on compromised systems. This malware facilitates the deployment of the CVE-2025-29824 exploit, ransomware payloads, and ransom notes demanding payment after file encryption.

PipeMagic and Its Role

PipeMagic, a backdoor discovered by Kaspersky in 2022, is instrumental in these attacks. It enables attackers to harvest sensitive data, gain full remote access, and deploy additional malicious payloads to further infiltrate victims' networks. This backdoor has been used in conjunction with other exploits, such as the Windows Win32 Kernel Subsystem zero-day (CVE-2025-24983).

RansomEXX's Evolution and Notable Targets

Originally known as Defray in 2018, the RansomEXX operation rebranded in June 2020, significantly increasing its activity. The group has targeted several high-profile organizations, including GIGABYTE, Konica Minolta, the Texas Department of Transportation, Brazil's court system, Montreal's STM public transport system, and Tyler Technologies.

The link has been copied!