Hackers exploit a zero-day vulnerability in the common logging file system to introduce ransomware.

Microsoft has identified malicious activity carried out by a group known as Storm-2460, which is exploiting a "use-after-free" vulnerability in the Windows Common Log File System driver. This vulnerability, classified as CVE-2025-29824, allows for privilege escalation on affected systems and has been rated with a severity score of 7.8 out of 10. Through this exploit, cybercriminals are deploying a malware called PipeMagic, which facilitates the delivery of ransomware.

It is noteworthy that this vulnerability is of a post-compromise nature, meaning that attackers have already managed to infiltrate systems before being able to exploit this flaw. Despite this, for ransomware operators, the ability to escalate privileges is highly valued, as it allows them to transform initial access, which they may have obtained through standard malware, into privileged access. This is crucial for the deployment and activation of ransomware in the affected environment.

The Storm-2460 group has been using this vulnerability to target a small number of organizations, primarily in the information technology, finance, and retail sectors, with a presence in the United States, Venezuela, Spain, and Saudi Arabia. Recently, a security advisory related to this vulnerability was released, and organizations are strongly advised to apply security updates to minimize the risk of ransomware attacks should threat actors manage to gain initial access.