Listen to this Post
Microsoft has confirmed that the RansomEXX ransomware gang is exploiting a high-severity zero-day vulnerability in the Windows Common Log File System (CLFS) to escalate privileges to SYSTEM level on compromised systems.
The flaw, tracked as CVE-2025-29824, was patched in Microsoft’s latest Patch Tuesday updates. It is a use-after-free vulnerability that allows local attackers with low privileges to gain SYSTEM access without user interaction.
Key Details:
- Affected Systems: Windows 10, Windows 11 (except version 24H2), and Windows Server.
- Exploitation: Limited attacks observed, deploying PipeMagic backdoor before ransomware payloads.
- Ransom Note: `!_READ_ME_REXX2_!.txt` left after file encryption.
More details: Microsoft Security Advisory
You Should Know:
1. Check if Your System is Vulnerable
Run the following PowerShell command to check your Windows version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
If your system is Windows 11 24H2, you are not affected.
2. Apply Microsoft’s Patch Immediately
Manually download the update from:
wuauclt /detectnow /updatenow
Or via Windows Update:
Start-Process "ms-settings:windowsupdate-action"
3. Detect PipeMagic Backdoor (Indicators of Compromise)
Check for suspicious processes:
Get-Process | Where-Object { $<em>.Path -like "$env:temp" -and $</em>.Name -match "svchost|powershell|wscript" }
Look for scheduled tasks created by attackers:
Get-ScheduledTask | Where-Object { $<em>.TaskPath -like "\Microsoft\Windows\" -and $</em>.Author -notmatch "Microsoft" }
4. Mitigation Steps (If Unpatched)
- Disable CLFS logging (Temporary Fix):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CLFS" /v "Start" /t REG_DWORD /d 0 /f
- Restrict low-privilege users from executing binaries:
icacls "C:\Windows\System32.exe" /deny "Users:(RX)"
5. Post-Exploitation Forensics
Check CLFS log tampering:
Get-WinEvent -LogName "Microsoft-Windows-CLFS/Operational" -MaxEvents 50 | Format-Table -AutoSize
Search for ransom notes:
dir /s /b C:_READ_ME_REXX2_!.txt
What Undercode Say
This attack highlights the critical need for timely patching and monitoring privilege escalation paths. Since RansomEXX (Storm-2460) is actively weaponizing this flaw, defenders must:
– Audit local privilege escalation vectors (whoami /priv).
– Monitor CLFS logs for unusual activity.
– Block PipeMagic C2 IPs via firewall rules.
– Use Sysmon for deep process tracking:
<EventFiltering> <ProcessCreate onmatch="include"> <CommandLine condition="contains">PipeMagic</CommandLine> </ProcessCreate> </EventFiltering>
Expected Output: A hardened Windows system with CLFS patched, backdoors detected, and ransomware prevented.
URLs:
References:
Reported By: Phuong Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
