Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824)

April 2025 Patch Tuesday is here, and Microsoft has delivered fixes for 120+ vulnerabilities, including a zero-day (CVE-2025-29824) that’s under active attack.

CVE-2025-29824

CVE-2025-29824 is a user-after-free vulnerability in the Windows Common Log File System (CLFS) that can be – and is being – exploited by attackers to elevate their privileges to SYSTEM on previously compromised Windows machines.

“CLFS is no stranger to Patch Tuesday – since 2022, Microsoft has patched 32 CLFS vulnerabilities, averaging 10 each year, with six exploited in the wild. The last CLFS zero-day flaw exploited in the wild was patched in December 2024 (CVE-2024-49138),” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security, and noted that elevation of privilege flaws in CLFS have become especially popular among ransomware operators over the years.

We don’t know how widespread the attacks involving the exploitation of this vulnerability are, we know only that Microsoft Threat Intelligence Center has been credited with reporting the flaw. Still, that’s enough incentive to prioritize this patch.

CVE-2025-29824 affects a variety of Windows Server and Windows versions, and security updates have been provided for most. “The security update for Windows 10 for x64-based systems and Windows 10 for 32-bit systems are not immediately available,” Microsoft said, and noted that the updates will be released as soon as possible.

“In the absence of a security update, organizations should take proactive steps to mitigate risk,” Ben McCarthy, lead cyber security engineer at Immersive Labs, said.

“Security teams are advised to monitor the CLFS driver closely using EDR/XDR tools. This includes watching for processes interacting with clfs.sys, being spawned by it, or showing anomalous behavior when communicating with other drivers or memory spaces.”

Other vulnerabilities of note

Microsoft has fixed a slew of flaws leading to elevation of privilege (EOP) and remote code execution (RCE).

Among the critical RCE flaws are CVE-2025-26663 and CVE-2025-26670, both unauthenticated user-after-free weaknesses in the Windows Lightweight Directory Access Protocol (LDAP), both requiring an attacker to win a race condition to exploit them, and both triggerable via specially crafted requests sequentially sent to a vulnerable LDAP server.

“Since just about everything can host an LDAP service, there’s a plethora of targets out there. And since no user interaction is involved, these bugs are wormable,” says Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.

“LDAP really shouldn’t be allowed through your network perimeter, but don’t rely on that alone. Test and deploy these updates quickly – unless you’re running Windows 10. Those patches aren’t available yet.”

Similarly, two RCE vulnerabilities in Windows Remote Desktop Services (RDP) – CVE-2025-27480 and CVE-2025-27482 can be exploited without any user interaction, but the (unauthorized) attacker must first connect to a system with the Remote Desktop Gateway role and trigger a race condition to create an exploitable use-after-free scenario.

Aside from implementing the offered security updates, users would do well to either make RDP unreachable from the internet or reachable only from trusted IP addresses.

Among the “more likely” to be exploited bugs fixed this time around are also:

• CVE-2025-27472, a flaw allowing attackers to evade Windows Mark of the Web (MotW) bypass defenses
• CVE-2025-27727, an EOP flaw in the Windows Installer
• CVE-2025-29809, a vulnerability that can allow authorized attackers to bypass Windows Defender Credential Guard to leak Kerberos (authentication) credentials.

None of these have been patched in Windows 10 for x64-based systems and Windows 10 for 32-bit systems, but those security updates are in the works and will be released as soon as possible.

As a sidenote: Microsoft has planned to end support for driver update synchronization to Windows Server Update Services (WSUS) servers, but changed its mind.

For the time being, “WSUS will continue to synchronize driver updates from the Windows Update service and import them from the Microsoft Update Catalog,” the company said on Monday, but reiterated a call for organizations “to start exploring ways to use alternative in-support technology for better security and productivity.”

UPDATE (April 9, 2025, 07:50 a.m. ET):

CVE-2025-29824, the Windows CLFS zero-day, has been exploited by attackers who first delivered the PipeMagic trojan, then used the zero-day to elevate their privileges on target hosts to SYSTEM, and finally attempted to deliver ransomware to a “small number of targets”, Microsoft’s threat analysts have confirmed.

“The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” the analysts added.

They don’t know how the attacker gained initial access to targeted systems, but they noted that the exploit the attackers used for CVE-2025-29824 did not work on Windows 11, version 24H2, even if the vulnerability was present.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!