Overview of the Vulnerability

Microsoft has issued a dire warning about the RansomEXX ransomware gang exploiting a highly critical zero-day vulnerability in the Windows Common Log File System, which allows them to gain SYSTEM-level privileges on compromised systems. This vulnerability, known as CVE-2025-29824, was only recently patched during this month’s Patch Tuesday, but not before it was targeted in a limited number of attacks.

Nature of the Vulnerability

The vulnerability arises from a use-after-free weakness, which means that even local attackers with limited privileges can execute simple attacks that do not require any user interaction to gain full SYSTEM access. This makes the vulnerability particularly dangerous.

Microsoft's Response

While Microsoft confirmed that they have issued security updates for several affected Windows versions, they have delayed patches specifically for Windows 10 x64 and 32-bit systems, promising these fixes will be available shortly.

Targets of the Attacks

Targets of these attacks have primarily been organizations within the information technology and real estate sectors in the United States, as well as the financial industry in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft emphasized that users running Windows 11, version 24H2, are not affected by this exploitation, urging all customers to apply the necessary updates immediately.

RansomEXX Gang's Tactics

These alarming cyberattacks have been traced back to the RansomEXX gang, also identified by Microsoft as Storm-2460. Their modus operandi involves installing a sophisticated backdoor malware called PipeMagic, allowing them to deploy the CVE-2025-29824 exploit along with ransomware payloads, and leaving behind ransom notes named !_READ_ME_REXX2_!.txt after encrypting victims' files.

Connection to Other Vulnerabilities

In a startling connection, cybersecurity firm ESET noted last month that PipeMagic has been used since March 2023 to deploy additional exploits targeting yet another Windows zero-day vulnerability (CVE-2025-24983) within the Win32 Kernel Subsystem. The PipeMagic malware, first discovered by Kaspersky in 2022, is notorious for its ability to harvest sensitive information, grant complete remote access to infected devices, and deploy more malevolent payloads, enabling attackers to spread through networks seamlessly.

History of RansomEXX

The RansomEXX ransomware operation started its journey in 2018 under the name Defray but significantly ramped up its activities after rebranding to RansomEXX in June 2020. As cyber threats continue to evolve, it is essential for individuals and organizations to remain vigilant, swiftly applying security patches, and staying informed about the latest cybersecurity threats.

Conclusion

Stay safe, and don’t be the next victim of ransomware!