CISA issues alert on active exploits of just patched Windows CLFS flaw
Take action: One more reason to push an urgent update of all Windows computers. CISA is also making an urgent warning, on the same day the patch is released. If they didn't delay the warning, you must not delay the patch.
Learn More
The Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent security advisory regarding the just patched vulnerability in the Microsoft Windows Common Log File System (CLFS) Driver.
The flaw is patched as part of the April 2025 Microsoft Patch Tuesday, and is already under active exploitation.
The flaw is tracked as CVE-2025-29824 (CVSS score 7.8) - Local privilege escalation allowing execution of malicious code with elevated privileges. The issue occurs when the CLFS Driver attempts to access memory after it has been freed, creating an opportunity for attackers to execute arbitrary code with system-level privileges.
CISA notes that similar vulnerabilities have historically been used by threat actors to:
- Deploy ransomware
- Exfiltrate sensitive data
- Establish persistent access within compromised networks
CISA warns that privilege escalation vulnerabilities like CVE-2025-29824 often serve as stepping stones for attackers to conduct more extensive network compromise, including lateral movement across systems.
Organizations are strongly advised to prioritize patching this vulnerability to prevent potential system-wide breaches and to remain vigilant for signs of exploitation in their environments.
Update - As of 7th of May 2025, Symantec's Threat Hunter Team has discovered that threat actors linked to the Play ransomware operation have exploited a Windows privilege escalation vulnerability as a zero-day in attacks targeting an unnamed U.S. organization.
The attack likely began through a public-facing Cisco Adaptive Security Appliance (ASA), which served as an entry point to the target network. After gaining initial access, the threat actors moved laterally to another Windows machine on the network. The attackers deployed their custom information-stealing tool called Grixba, which has previously been attributed to the Play ransomware group.
The attackers disguised their CVE-2025-29824 exploit as legitimate Palo Alto Networks software, using filenames like "paloaltoconfig.exe" and "paloaltoconfig.dll" and placing them in the Music folder. During execution, the exploit created two files in the C:\ProgramData\SkyPDF path: PDUDrv.blf (a Common Log File System base log file) and clssrv.inf (a DLL injected into the winlogon.exe process).
