CVE-2025-29824: The Windows CLFS Zero Day Used in Ransomware Campaigns

CVE-2025-29824 is a now patched zero-day privilege escalation vulnerability in the Common Log File System (CLFS) driver (clfs.sys) in Windows. It was exploited in the wild by the Balloonfly threat group, associated with Play ransomware, prior to its public disclosure and patch by Microsoft on April 8, 2025. The vulnerability allows attackers to perform arbitrary kernel memory modification, enabling privilege escalation and deployment of malware including Grixba infostealer.

Severity Level: High

THREAT OVERVIEW:

1. Vulnerability Details:
   • CVE-2025-29824, with a CVSS score of 7.8, is a use-after-free vulnerability in the Windows Common Log File System (CLFS) driver that allows attackers to exploit freed memory to escalate privileges and execute code with SYSTEM-level access.
   • Affected products: Windows Workstation and Server Products.
2. Attack Chain Context:
   • Initial Access: Via exploitation of a public facing Cisco ASA firewall.
   • Privilege Escalation: via exploitation of CVE-2025-29824 to gain SYSTEM privileges.
   • Payload Execution: Final-stage payload often includes Play ransomware and lateral movement utilities.
3. Root Cause:
   • The flaw lies in improper synchronization between cleanup and control operations within the CLFS driver. Specifically, race conditions exist between the following:
   • CloseHandle() – triggers IRP_MJ_CLEANUP that deallocates internal structures.
   • DeviceIoControl() – triggers IRP_MJ_DEVICE_CONTROL that uses pointers to deallocated memory (CClfsLogCcb) via FsContext2.
   • This results in a use-after-free vulnerability that allows the attacker to control kernel memory operations, leading to privilege escalation.
4. Exploitation Details & Tools:
   • Deployment of exploit (go.exe) in CLFS via race condition on file handle operations
   • Execution of dual-threaded API calls to trigger use-after-free on kernel memory.
   • Dual-threaded execution: one thread closes a file handle while another invokes a control operation on the same handle.
   • The exploit creates artifacts in C:\ProgramData\SkyPDF\, including a base log file (PDUDrv.blf) and a malicious DLL (ClsSrv.inf) that is injected into winlogon.exe.
   • Batch files (servtask.bat, cmdpostfix.bat) are deployed to dump registry hives, create admin-level users, and schedule persistence via schtasks.
5. Target Regions: U.S., Venezuela, Spain, and Saudi Arabia.

Recommendations:

1. Apply the patch for CVE-2025-29824 on all affected Windows systems.
2. Restrict external access to network devices like Cisco ASA using VPNs or access control lists.
3. Train users and administrators to avoid executing unknown binaries or scripts—even if they masquerade as known tools (e.g., paloaltoconfig.exe).
4. Enforce file permission policies to prevent script/binary writes to ProgramData and other shared directories.
5. Use Application Control/Allowlisting (e.g., AppLocker) to prevent unverified software execution.
6. Use EDR to detect misuse of CLFS and monitor suspicious PowerShell execution patterns.
7. Block the IOCs at their respective controls: https://www.virustotal.com/gui/collection/977ba5415745671f4849d841bc148e65fe140d770ea47ed7acd60253580bfd45/iocs

Source:

• https://www.bleepingcomputer.com/news/security/play-ransomware-exploited-windows-logging-flaw-in-zero-day-attacks/
• https://www.security.com/threat-intelligence/play-ransomware-zero-day
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.