Microsoft: Zero-day bug used in ransomware attacks on US real estate firms

Hackers used a recently-patched zero-day vulnerability to attack real estate companies in the U.S. and several other organizations in Saudi Arabia, Spain and Venezuela

Microsoft published a blog post on Tuesday about the bug alongside its larger Patch Tuesday release, detailing how hackers exploited the vulnerability and used a strain of malware called PipeMagic before deploying ransomware on victims. 

The zero-day vulnerability, tagged as CVE-2025-29824, impacts Windows Common Log File System Driver (CLFS) – a frequent target of ransomware gangs. CLFS is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. It effectively allows users to record a series of steps required for some actions so that they can be either reproduced accurately in the future or undone.

The “small number of targets” of the campaign include IT and real estate companies in the U.S., financial firms in Venezuela, a software company in Spain and retail organizations in Saudi Arabia. Microsoft released a security update for CVE-2025-29824 on Tuesday. 

Microsoft did not provide more information on the hackers behind the campaign, only referring to the threat actors as “Storm-2460.” CVE-2025-29824 was the only Patch Tuesday bug from Microsoft added to the Cybersecurity and Infrastructure Security Agency’s catalog of exploited vulnerabilities on Tuesday. 

Microsoft researchers and several other cybersecurity experts said CVE-2025-29824 was concerning because it allows hackers to elevate their privileges and access in a system that has already been broken into. 

“This type of vulnerability is especially dangerous in post-compromise scenarios,” said Ben McCarthy, lead cybersecurity engineer at Immersive. 

“Once an attacker has a foothold on a machine — via phishing, malware, or other vectors — they can exploit the… bug to elevate privileges, maintain persistence and move laterally across an enterprise network. It is a favored class of vulnerability in targeted attacks and ransomware operations.”

Microsoft added that ransomware gangs specifically value post-compromise bugs like CVE-2025-29824 because they “enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access.”

The increased access allows them to detonate ransomware and create a wider blast radius, causing significantly more damage. 

In the attacks tracked by Microsoft, the incident responders were unable to figure out how the hackers gained their initial access. But once they had access, the threat actors deployed PipeMagic, which researchers at ESET and Kaspersky have been documenting for years. ESET previously spotlighted the malware’s use during exploitation of CVE-2025-24983, another recently-patched Microsoft bug. 

Microsoft was not able to obtain samples of the ransomware for analysis but found two clues in the ransom notes that were previously tied to the RansomEXX ransomware family. 

Immersive’s McCarthy noted that while Microsoft has confirmed the bug is being actively exploited, they have not released a specific patch for Windows 10 32-bit or 64-bit systems.

“The lack of a patch leaves a critical gap in defense for a wide portion of the Windows ecosystem,” he said. 

“In the absence of a security update, organizations should take proactive steps to mitigate risk. Security teams are advised to monitor the CLFS driver closely using [Endpoint Detection and Response]/[Extended Detection and Response] tools.” 

Seth Hoyt, senior security engineer at Automox, added that with the privileges offered by the vulnerability, a hacker could install programs, disable protections and move laterally “with few barriers.”