Microsoft patches zero-day actively exploited in string of ransomware attacks
Microsoft addressed 126 vulnerabilities affecting its systems and core products, including a zero-day in the Windows Common Log File System (CLFS) that’s been actively exploited in a series of ransomware attacks, the company said in its latest security update Tuesday.
A group Microsoft tracks as Storm-2460 has exploited CVE-2025-29824 to initiate ransomware attacks “against a small number of targets,” Microsoft Threat Intelligence said in a research note released Tuesday. Victims include organizations in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company and the retail sector in Saudi Arabia, according to Microsoft.
Microsoft said it’s unsure how Storm-2460 gained initial access to devices on these networks, but noted successful exploitation of the software defect allows an attacker running a standard user account to escalate privileges. The zero-day, which Storm-2460 deployed via PipeMagic malware, has a CVSS score of 7.8.
“Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access,” Microsoft Threat Intelligence researchers said in the blog post. “They then use privileged access for widespread deployment and detonation of ransomware within an environment.”
Mike Walters, president and co-founder at Action1, said CVE-2025-29824 “is significant because it affects a core component of Windows, impacting a wide range of environments, including enterprise systems and critical infrastructure.”
Attackers can exploit the vulnerability to gain the highest privilege on a Windows system, Walters said. This allows attackers to install malware, modify system files and registry settings, disable security features, access sensitive data and maintain persistent access, resulting in full system compromise and lateral movement across networks, Walters added.
CLFS vulnerabilities are common in Microsoft’s monthly security updates, according to Satnam Narang, senior staff research engineer at Tenable. “Since 2022, Microsoft has patched 32 CLFS vulnerabilities, averaging 10 each year, with six exploited in the wild,” Narang said in an email.
“Elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years,” Narang said. “While remote code execution flaws are consistently top overall Patch Tuesday figures, the data is reversed for zero-day exploitation. For the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited.”
More than 40% of the vulnerabilities Microsoft patched on Tuesday allow attackers to achieve elevation of privileges, Narang said.
The batch of patches Microsoft released this month marks the vendor’s fourth monthly security update to include more than 100 vulnerabilities in the past year, and the second set of triple-digit defects in 2025 thus far.
“For the first time in years, none of the vulnerabilities have a publicly available proof of concept,” Walters said.
Eighteen of the vulnerabilities in this month’s security update affect Microsoft Office and standalone Office products. All of the software defects affecting Microsoft Office are high-severity, and Microsoft designated three of those vulnerabilities — CVE-2025-29792, CVE-2025-29793 and CVE-2025-29794 — as “more likely” to be exploited.
Overall, Microsoft said 11 of the vulnerabilities it patched this month are “more likely” to be exploited. This set of more concerning flaws includes a pair of high-severity software defects — CVE-2025-27480 and CVE-2025-27482 — that could allow for remote code execution in Remote Desktop Gateway Service.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
