Microsoft on Tuesday shipped urgent updates for at least 120 Windows vulnerabilities, including a zero-day in the Windows Common Log File System (CLFS) marked as “actively exploited.”
The CLFS zero-day, tagged as CVE-2025-29824, allows a local attacker to gain SYSTEM privileges by exploiting a use-after-free bug, Redmond’s security response team warned.
The issue carries a CVSS severity score of 7.8/10 and requires only low-level privileges with no user interaction.
Microsoft credited its internal threat intelligence team with discovering the issue, suggesting it was being exploited by professional hacking teams. The software maker said a patch for Windows 10 is not yet available and will be shipped at a later date.
In separate documentation, Microsoft blamed a ransomware group for the attacks and said targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.
“In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware,” the company said.
Over the last few years, there have been at least 26 documented vulnerabilities in the Windows CLFS subsystem used for data and event logging and Microsoft has responded with a major new security mitigation to block these attacks.
The company’s plans include the addition of Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS log files and cover one of the most attractive attack surfaces for APTs and ransomware attacks.