CVE-2025-29824

Overview

CVE-2025-29824 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. It was actively exploited in the wild, leading to ransomware activity. Microsoft patched this vulnerability on April 8, 2025.

Windows 11, version 24H2 is not affected by this exploit, even if the vulnerability is present, due to mitigations in the NtQuerySystemInformation API.

Technical Details

• Vulnerability Type: Elevation of Privilege (EoP)
• Affected Component: CLFS kernel driver
• Attack Vector: Local
• Impact: Allows a standard user to escalate privileges to SYSTEM
• Exploitation: The exploit leaks kernel addresses to user mode using the NtQuerySystemInformation API, then escalates privileges
• Mitigation: Access to certain System Information Classes in NtQuerySystemInformation is restricted to admin-like users in Windows 11 24H2
• Patch Date: April 8, 2025

Exploitation

The vulnerability was used in post-compromise exploitation, often after initial access via malware such as PipeMagic. Attackers used it to gain SYSTEM privileges and deploy ransomware.

The exploit was first observed in targeted attacks, but its use in ransomware campaigns increased its visibility and urgency for patching.

Affected Systems

• Windows 10 (all versions except 24H2)
• Windows 11 (versions before 24H2)
• Windows Server (multiple versions)

Windows 11, version 24H2 is not vulnerable to the observed exploitation methods.

Patch Information

Microsoft released security updates on April 8, 2025 as part of Patch Tuesday. Users and administrators are strongly advised to apply the update immediately.

For systems that cannot be patched, Microsoft recommends restricting access to the NtQuerySystemInformation API and monitoring for suspicious privilege escalation activity.

References