CVE-2025-29824

Published Apr 8, 2025

Last updated 20 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-29824 is a use-after-free vulnerability in the Windows Common Log File System (CLFS) driver. Successful exploitation of this vulnerability allows an attacker to elevate their privileges to SYSTEM, meaning they can gain complete control over the affected system. This vulnerability has been exploited in the wild as a zero-day, meaning attackers were actively using it before a patch was available. It has been associated with ransomware attacks, where attackers use the elevated privileges to deploy ransomware. The vulnerability was addressed in Microsoft's April 2025 Patch Tuesday update.

Description
Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
Source
secure@microsoft.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
Exploit added on
Apr 8, 2025
Exploit action due
Apr 29, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

secure@microsoft.com
CWE-416

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

14

  1. 2025年、脆弱性の公開から24時間以内に28.3%が悪用されるという調査結果が示された。 ゼロデイ脆弱性の80%はパッチ提供前に攻撃されており、従来の月次パッチ運用では対応が間に合わない状況である。 CVE-2

    @yousukezan

    14 May 2025

    4566 Impressions

    16 Retweets

    61 Likes

    23 Bookmarks

    0 Replies

    0 Quotes

  2. https://t.co/moILmlv9Gy Play ransomware exploits Windows zero-day vulnerability  According to Symantec, the Play ransomware group and affiliated groups are using an exploit targeting the zero-day vulnerability CVE-2025-29824. Although the vulnerability was patched by Microsof

    @B2bCyber

    14 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    14 May 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    14 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    12 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    11 May 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Storm-2460 just waltzed through CVE-2025-29824 like it was an open bar 🍸 PipeMagic's doing tricks, and your EDR's still "thinking about it" 💤 Skip the guesswork. We did the research. You just read it. 🧠 👉 https://t.co/x5v1vefCCH #AlphaHunt #CyberSecurity

    @alphahunt_io

    11 May 2025

    247 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    10 May 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. 🚨 Play Ransomware exploited the CVE-2025-29824 vulnerability in Windows before the patch, gaining elevated privileges and full system control. Affected countries include the US, Venezuela, Spain. 🔗https://t.co/ohGeRApIAM #Ransomware #CyberSecurity #ZeroDay #PatchNow htt

    @protecticore

    10 May 2025

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. باج افزاری به نام play ransomware منتشر شده است که از آسیب پذیری با کد شناسایی (CVE-2025-29824) برای ارتقای سطح دسترسی استفاده می شود. این آسیب پذیری توسط ماکروسافت پچ شد

    @AmirHossein_sec

    10 May 2025

    47 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    10 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a limited number of attacks and patched during last month's Patch Tuesday. https://t.co/LSntOdQeaC

    @luipo_

    9 May 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 Threat Alert: Play Ransomware Exploiting Windows 0-Day Vulnerability CVE-2025-29824 📅 Date: 2025-04-08 📆 Timeline: Attack occurred prior to public patch on April 8, 2025, with reconnaissance and exploitation steps executed before detection. Patching and advisories re

    @syedaquib77

    9 May 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 Threat Alert: Balloonfly Ransomware Group Exploits Windows Zero-Day Vulnerability CVE-2025-29824 📅 Date: 2025-04-08 📆 Timeline: Initial exploitation detected early 2025; Microsoft patch released 2025-04-08; ongoing monitoring for further activity. 📍 Location: Uni

    @syedaquib77

    9 May 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. ランサムウェア グループがWindowsのゼロデイ 脆弱性をサイバー攻撃に悪用(CVE-2025-29824) #セキュリティ対策Lab #セキュリティ #Security https://t.co/ypMsAGRb3w

    @securityLab_jp

    9 May 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 Posible explotación activa de CVE-2025-29824 como Zero-Day en Windows 🔍 Se habría identificado una campaña que explota la vulnerabilidad CVE-2025-29824 (CLFS) como un posible zero-day para comprometer sistemas Windows, afectando incluso a organizaciones en EE.UU. y MX

    @tpx_Security

    8 May 2025

    107 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  17. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    8 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  18. 🗞️ Play Ransomware Gang Exploits Windows CLFS Zero-Day for SYSTEM Privileges The Play ransomware gang leveraged a Windows CLFS zero-day flaw, CVE-2025-29824, to gain SYSTEM privileges and deploy malware in targeted US attacks. Microsoft patched the vulnerability in April 20

    @gossy_84

    8 May 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨Playランサムウェア、Windowsの共通ログファイルシステムにおける脆弱性をゼロデイ攻撃で悪用(CVE-2025-29824) 🇪🇸欧州狙うDDoS攻撃が3月に88%増加、最大の標的はスペイン 〜サイバーアラート 5月8日〜 htt

    @MachinaRecord

    8 May 2025

    53 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🚨 Ransomware groups exploited Windows zero-day before patch CVE-2025-29824 let attackers gain system privileges to drop malware like PipeMagic and Grixba. Patch now if you haven’t. https://t.co/RhM5iImQZc #ZeroDay #CVE202529824 #ransomware https://t.co/8GIoQCJB3R

    @dCypherIO

    7 May 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 Threat Alert: Exploitation of Windows Zero-Day CVE-2025-29824 by Multiple Ransomware Groups 📅 Date: 2025-04 📆 Timeline: Initial exploitation detected prior to April 2025 patch release; ongoing ransomware activity observed through April 2025. 📍 Location: United St

    @syedaquib77

    7 May 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. The Play ransomware gang exploited a critical Windows zero-day flaw (CVE-2025-29824) to escalate privileges, install backdoors, and deploy malware across global sectors including finance & government. Stay aware! ⚠️ #WindowsVuln #GlobalThreats https://t.co/AKXBPRyUn7

    @TweetThreatNews

    7 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. In early May 2025, cybersecurity researchers from Symantec's Threat Hunter Team reported that the Play ransomware group exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, to breach a U.S.-based organization. https://t.co/7nUHUiuLur https://t.co

    @CoroMSP

    7 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Play ransomware actors exploited a zero-day flaw in Windows (CVE-2025-29824) for privilege escalation, targeting a U.S. org with info theft tools like Grixba disguised as Palo Alto. 🚨 Stay alert. #ZeroDay #US #Threat https://t.co/KarqWgCc3L

    @TweetThreatNews

    7 May 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization https://t.co/LoWpn9xPyO

    @Dinosn

    7 May 2025

    2225 Impressions

    7 Retweets

    28 Likes

    8 Bookmarks

    0 Replies

    1 Quote

  26. Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization https://t.co/2g83sSGvAn https://t.co/oyQ62TQepI

    @talentxfactor

    7 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization. Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a... https://t.co/LdsdrSfIe1 #InceptusSecure #UnderOurProtection

    @Inceptus3

    7 May 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    7 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  29. Play #Ransomware Exploited #Windows #CVE-2025-29824 as Zero-Day to Breach U.S. Organization https://t.co/tgO53B4ONM

    @ScyScan

    7 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. The Hacker News - Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization https://t.co/iQO70ggc65

    @buzz_sec

    7 May 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Multiple threat groups exploited the Windows zero-day CVE-2025-29824 before patches, impacting organizations worldwide. Storm-2460 was linked to some attacks using malware. Stay vigilant! 🖥️ #Windows #CyberThreats #Global https://t.co/7ujQO6hotI

    @TweetThreatNews

    7 May 2025

    33 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  32. 📌 استغل مرتكبو هجوم رانسوموار Play ثغرة أمنية حديثة في Windows (CVE-2025-29824) كثغرة يوم الصفر لاستهداف منظمة في الولايات المتحدة. ووفقًا لفريق Symantec Threat Hunter، تم استخ

    @Cybercachear

    7 May 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 📍Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization https://t.co/GQDPJJ5mGt

    @cyberetweet

    7 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. 🚨 A U.S. org was hit by Play ransomware using CVE-2025-29824 before it was patched. Attackers slipped in via a Cisco ASA, dropped fake Palo Alto files, stole AD data, and planted custom tools — but didn’t launch ransomware. 🔗 Read: https://t.co/6y6DsuyGrT

    @TheHackersNews

    7 May 2025

    12206 Impressions

    40 Retweets

    88 Likes

    18 Bookmarks

    0 Replies

    1 Quote

  35. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    5 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    4 May 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. Storm-2460 just walked through CVE-2025-29824 like it was an open bar 🍸 PipeMagic’s doing tricks, and your EDR’s still “thinking about it” 💤 Skip the guesswork. We did the research. You just read it. 🧠 👉 https://t.co/x5v1vegasf #AlphaHunt #CyberSecurity

    @alphahunt_io

    2 May 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    2 May 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. New Post: Windows CLFS Zero-Day Exposed: CVE-2025-29824 Under Attack & How to Protect Yourself https://t.co/GPKwQPU2QI https://t.co/pZDJfRMbBQ

    @PCRuns4U

    2 May 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 🚨 CVE-2025-29824 - Vulnerabilidad de Elevación de Privilegios en Windows CLFS 🚨 🔐 Nivel de Urgencia: Alto 📈 CVSS: 7.8 https://t.co/F2gCdfoNIV

    @BanCERT_gt

    1 May 2025

    8 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    1 May 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. Make sure you patch for this tweeps: CVE-2025-29824 https://t.co/RVUEU9RcIP

    @UK_Daniel_Card

    29 Apr 2025

    4383 Impressions

    15 Retweets

    56 Likes

    14 Bookmarks

    4 Replies

    1 Quote

  43. Nueva vulnerabilidad 🚨 CVE-2025-29824 Permite a hackers tomar control total de tu PC si ya tienen acceso. Microsoft acaba de lanzar un parche https://t.co/JEf4qmOiOC

    @blindma1den

    29 Apr 2025

    2148 Impressions

    12 Retweets

    64 Likes

    15 Bookmarks

    2 Replies

    0 Quotes

  44. Actively exploited CVE : CVE-2025-29824

    @transilienceai

    28 Apr 2025

    39 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  45. 2. Windows CLFS Zero-Day Açığı (CVE-2025-29824) Microsoft, Windows Common Log File System (CLFS) bileşeninde tespit edilen ve aktif olarak istismar edilen bir sıfır gün açığını (CVE-2025-29824) Nisan 2025 güvenlik güncellemeleri kapsamında yamalamıştır. Bu aç

    @MuratDemirtas

    28 Apr 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. Hey! Heads up, RansomEXX is exploiting a Windows zero-day (CVE-2025-29824) thru the CLFS driver. They're after SYSTEM-level access, and Windows 10 patches are delayed! Stay safe! https://t.co/vXKfOeqFcO

    @fin_tech_news_

    26 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Hey, did you hear about PipeMagic? It uses a Windows zero-day (CVE-2025-29824) to get SYSTEM privileges - like, total control! Patch ASAP! https://t.co/XbgaBnMvO0

    @storagetechnews

    26 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. Storm-2460 waltzed in through CVE-2025-29824 like it was an open bar 🍸 PipeMagic’s doing tricks, and your EDR’s still “thinking about it” 💤 Skip the guesswork. We did the research. You just read it. 🧠 👉 https://t.co/x5v1vegasf #AlphaHunt #AskYourTIP #Cyber

    @alphahunt_io

    26 Apr 2025

    25 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  49. 3. Windows CLFS Zero Day Açığı (CVE-2025-29824) Microsoft, Windows Common Log File System (CLFS) sürücüsünde tespit edilen ve aktif olarak istismar edilen bir zero day güvenlik açığını (CVE-2025-29824) gidermek için bir yama yayınladı. Bu açık, saldırganların sistem ayrıcalıkları

    @MuratDemirtas

    23 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. A zero-day vulnerability in Windows CLFS (CVE-2025-29824) has been exploited by the ransomware group Storm-2460 using PipeMagic malware. Targets include organizations in the U.S., Venezuela, Spain, and Saudi Arabia. #CyberSecurity #ZeroDay #WindowsUpdate https://t.co/dZzScav70b

    @MainNerve

    22 Apr 2025

    112 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations