Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw in the Windows Common Log File System to gain SYSTEM privileges on victims’ systems.
The vulnerability, tracked as CVE-2025-29824, was patched during this month’s Patch Tuesday and was only exploited in a limited number of attacks.
CVE-2025-29824 is due to a use-after-free weakness that lets local attackers with low privileges gain SYSTEM privileges in low-complexity attacks that don’t require user interaction.
While the company has issued security updates for impacted Windows versions, it delayed releasing patches for Windows 10 x64 and 32-bit systems and said they would be released as soon as possible.
“The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft revealed today.
“Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.”
Microsoft linked these attacks to the RansomEXX ransomware gang, which it tracks as Storm-2460. The attackers first installed the PipeMagic backdoor malware on compromised systems, which was used to deploy the CVE-2025-29824 exploit, ransomware payloads, and !_READ_ME_REXX2_!.txt ransom notes after encrypting files.
As ESET reported last month, PipeMagic has also been used to deploy exploits targeting a Windows Win32 Kernel Subsystem zero-day (CVE-2025-24983) since March 2023.
Discovered by Kaspersky in 2022, the malware can harvest sensitive data, provides full remote access to infected devices, and enables attackers to deploy additional malicious payloads to move laterally through victims’ networks.
In 2023, Kaspersky spotted this backdoor while investigating Nokoyawa ransomware attacks. These attacks exploited another Windows Common Log File System Driver zero-day, a privilege escalation flaw tracked as CVE-2023-28252.
The RansomEXX ransomware operation started as Defray in 2018 but was rebranded to RansomEXX and became much more active starting June 2020.
This ransomware gang has also targeted high-profile organizations, including computer hardware giant GIGABYTE, Konica Minolta, the Texas Department of Transportation (TxDOT), Brazil’s court system, Montreal’s STM public transport system, and government software provider Tyler Technologies.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
