The vulnerability in question is tracked as CVE-2025-29824 and it was patched by Microsoft with its April 2025 Patch Tuesday updates.
The flaw impacts the Windows Common Log File System (CLFS) and it can be exploited by an attacker to escalate privileges.
On the day it released the patches, Microsoft revealed that CVE-2025-29824 had been exploited by cybercriminals in attacks aimed at a “small number of targets”, including in the IT and real estate sectors in the US, the financial industry in Venezuela, the retail sector in Saudi Arabia, and a Spanish software firm.
Microsoft attributed the attack to a threat actor it tracks as Storm-2460, which exploited the vulnerability to deploy a piece of malware named PipeMagic, typically used to deploy ransomware. The tech giant found evidence suggesting that the zero-day had been exploited in RansomEXX ransomware attacks.
Symantec revealed on Wednesday that at least one other threat group exploited CVE-2025-29824 before it was patched by Microsoft. The Broadcom threat intelligence unit observed exploitation of the vulnerability against an organization in the United States.
Its analysis showed that the attackers used the flaw to deploy an infostealer named Grixba, which is associated with a threat actor tracked by Symantec as Balloonfly, known for conducting Play ransomware attacks. However, no actual ransomware payload was deployed in the attack.
In the incident seen by Symantec, the hackers may have exploited a Cisco ASA vulnerability for initial access and they then moved laterally on the network before deploying an exploit for CVE-2025-29824.
“The exploit (or similar exploits) may have been in the hands of multiple actors prior to the patching of CVE-2025-29824,” Symantec said.
(courtesy: securityweek)
