info@thehackernews.com (The@The Hacker News
//
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.
Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment.
The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities.
Recommended read:
References :
- isc.sans.edu: This month, Microsoft has released patches addressing a total of 125 vulnerabilities.
- The DefendOps Diaries: Microsoft's April 2025 Patch Tuesday addresses 134 vulnerabilities, including a critical zero-day, highlighting the need for robust security.
- Cyber Security News: Microsoft’s April 2025 Patch Tuesday update has arrived, delivering critical fixes for 121 security vulnerabilities across its broad suite of software products.
- BleepingComputer: Today is Microsoft's April 2025 Patch Tuesday, which includes security updates for 134 flaws, including one actively exploited zero-day vulnerability.
- Tenable Blog: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)
- Cisco Talos Blog: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities
- CyberInsider: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
- bsky.app: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
- The DefendOps Diaries: Understanding the Impact of CVE-2025-29824: A Critical Windows Vulnerability
- Threats | CyberScoop: Microsoft patches zero-day actively exploited in string of ransomware attacks
- thecyberexpress.com: TheCyberExpress article on Microsoft Patch Tuesday April 2025.
- cyberinsider.com: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
- www.microsoft.com: Microsoft Security Blog on CLFS zero-day exploitation.
- BleepingComputer: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
- bsky.app: Sky News post on Microsoft April 2025 Patch Tuesday.
- Cyber Security News: CybersecurityNews article on Windows CLFS Zero-Day Vulnerability Actively Exploited by Ransomware Group
- Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
- Malwarebytes: Microsoft releases April 2025 Patch Tuesday updates, including fixes for 121 vulnerabilities, one of which is an actively exploited zero-day in the Windows Common Log File System (CLFS) driver.
- isc.sans.edu: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
- Blog RSS Feed: Report on the April 2025 Patch Tuesday analysis, including CVE-2025-29824.
- krebsonsecurity.com: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
- securityonline.info: SecurityOnline discusses Windows CLFS Zero-Day Exploited to Deploy Ransomware
- securityonline.info: Windows CLFS Zero-Day Exploited to Deploy Ransomware
- securityaffairs.com: U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
- www.cybersecuritydive.com: Windows CLFS zero-day exploited in ransomware attacks
- Security | TechRepublic: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
- The Register - Software: Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
- The Hacker News: Microsoft released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
- www.microsoft.com: Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.
- The Hacker News: PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
- securityonline.info: Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
- Arctic Wolf: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities.
- arcticwolf.com: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities. Arctic Wolf has highlighted five vulnerabilities affecting Microsoft Windows in this security bulletin, including one exploited vulnerability and four vulnerabilities that Microsoft has labeled as Critical.Â
- Know Your Adversary: Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about CVE 2025-29824 .
- Sophos News: One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane
- Security | TechRepublic: One CVE was used against “a small number of targets.†Windows 10 users needed to wait a little bit for their patches.
- www.threatdown.com: April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.
- Logpoint: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
- Arctic Wolf: Microsoft Patch Tuesday: April 2025
- www.logpoint.com: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
- arcticwolf.com: Microsoft Patch Tuesday: April 2025
- ciso2ciso.com: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
- Security Risk Advisors: New CLFS Zero-Day (CVE-2025-29824) Enables Rapid Privilege Escalation, Leading to Ransomware Deployment
- cyberscoop.com: Microsoft patches zero-day actively exploited in string of ransomware attacks
- www.tenable.com: Tenable's analysis of the CLFS vulnerability and its exploitation by Storm-2460.
- Help Net Security: Article on Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed
@The DefendOps Diaries
//
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.
Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs.
Recommended read:
References :
- isc.sans.edu: Microsoft Patch Tuesday: March 2025, (Tue, Mar 11th)
- The DefendOps Diaries: Microsoft's March 2025 Patch Tuesday: Addressing Critical Vulnerabilities
- BleepingComputer: Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
- CyberInsider: Microsoft March 2025 ‘Patch Tuesday’ Updates Fix Six Actively Exploited Flaws
- Tenable Blog: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)
- bsky.app: Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
- krebsonsecurity.com: Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
- Blog RSS Feed: March 2025 Patch Tuesday Analysis
- Threats | CyberScoop: Microsoft patches 57 vulnerabilities, including 6 zero-days
- The Register - Software: Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
- hackread.com: March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days
- www.kaspersky.com: Main vulnerabilities from Microsoft's March Patch Tuesday | Kaspersky official blog
- Rescana: Microsoft March 2025 Patch Tuesday: Zero-Day Exploitation Analysis in WinDbg, ASP.NET Core, and Remote Desktop
- socradar.io: March 2025 Patch Tuesday: Microsoft Fixes 6 Critical & 6 Exploited Security Vulnerabilities
- Security | TechRepublic: Microsoft's March 2025 Patch Tuesday includes six actively exploited zero-day vulnerabilities. Learn about the critical vulnerabilities and why immediate updates are essential.
- Davey Winder: Microsoft has confirmed that no less than six zero-day vulnerabilities are exploiting Windows users in the wild. Here’s what you need to know and do.
- : Microsoft Patches a Whopping Seven Zero-Days in March
- Blog: As part of its monthly Patch Tuesday event, Microsoft has fixed 57 vulnerabilities. Among them are six actively exploited zero-day vulnerabilities
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- Talkback Resources: Microsoft's Patch Tuesday reports 6 flaws already under fire [app] [sys]
- ESET Research: has discovered a zero day exploit abusing -2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges ( ).
- The DefendOps Diaries: Understanding the Impact of CVE-2025-24983: A Critical Windows Kernel Vulnerability
- BleepingComputer: Microsoft patches Windows Kernel zero-day exploited since 2023
- PCWorld: Big March patch fixes dozens of security flaws in Windows and Office
- securityaffairs.com: Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days
- www.threatdown.com: The March 2025 Patch Tuesday update contains an unusually large number of zero-day vulnerabilities that are being actively exploited.
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- www.computerworld.com: For March’s Patch Tuesday, 57 fixes — and 7 zero-days
@arcticwolf.com
//
Microsoft has released its February 2025 security update, addressing a total of 63 newly disclosed vulnerabilities. This update, released on February 11th, includes patches for various Microsoft products. Arctic Wolf has highlighted three vulnerabilities in this security bulletin that affect Microsoft Windows and are classified as critical or have been exploited in the wild.
Among the vulnerabilities addressed, two are actively being exploited, including CVE-2025-21418, a Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability, and CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability. Users are strongly advised to apply these updates promptly to mitigate the risk posed by these threats. This month, Microsoft has released patches addressing a total of 141 vulnerabilities.
Recommended read:
References :
- Arctic Wolf: Microsoft Patch Tuesday: February 2025
- isc.sans.edu: Microsoft February 2025 Patch Tuesday, (Tue, Feb 11th)
- Tenable Blog: Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)
@securityonline.info
//
Progress Software has released patches to address multiple high-severity vulnerabilities in its LoadMaster software. These flaws could allow remote, authenticated attackers to execute arbitrary system commands on affected systems. The vulnerabilities stem from improper input validation, where attackers who gain access to the management interface can inject malicious commands via crafted HTTP requests.
The affected software includes LoadMaster versions from 7.2.48.12 and prior, 7.2.49.0 to 7.2.54.12 (inclusive), and 7.2.55.0 to 7.2.60.1 (inclusive), as well as Multi-Tenant LoadMaster version 7.1.35.12 and prior. Progress Software has implemented input sanitization to mitigate these vulnerabilities, preventing arbitrary system commands from being executed. Users are advised to update to the latest patched versions to ensure the security of their systems.
Recommended read:
References :
- community.progress.com: Progress security advisory "05" February 2024: (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection Remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate could issue a carefully crafted HTTP request that allows arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.   We have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct impact on customers.
- securityaffairs.com: Progress Software fixed multiple high-severity LoadMaster flaws - SecurityAffairs
- securityonline.info: Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed - SecurityOnline
- The Hacker News: Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions - The Hacker News
- securityonline.info: Security Online Article about Progress LoadMaster Security Update
- : Progress security advisory "05" February 2024: (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection
|
|
FlagThis - #patchtuesday