Researcher Details CVE-2025-29824 – A Windows CLFS 0-Day Exploited by Ransomware Gang
Do Son 
In April, Microsoft has patched a high-severity, zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System that was exploited by the RansomEXX gang. The use-after-free flaw allowed low-privileged attackers to gain SYSTEM privileges on victims’ systems without any user interaction.
At the heart of CVE-2025-29824 is a use-after-free vulnerability. The issue arises from incorrect memory handling between two I/O requests—IRP_MJ_CLEANUP and IRP_MJ_CLOSE—processed when closing log file descriptors. Microsoft mitigated the flaw by relocating the call to CClfsLogCcb::Release, which decrements a reference counter, from the Cleanup function to the Close function.
Chizhov explains the vulnerability mechanics:
“Since the memory allocated for CClfsLogCcb has already been freed during the IRP_MJ_CLEANUP I/O request, it becomes possible to invoke an IOCTL call that uses the previously freed CClfsLogCcb. This can lead to memory corruption within the kernel.”
The exploit technique takes advantage of LookasideList behavior. Freed memory objects are retained in the kernel’s internal cache (up to 24 entries), making them available for reuse:
“To exploit the vulnerability, an adversary must first create at least 25 descriptors for the same log file, then close 24 of them to fill LookasideList, and finally trigger the exploit using the remaining descriptors.”
If done correctly, the malicious object gets treated as a valid CClfsLogCcb instance, and the attacker can manipulate it via further IOCTL calls through the clfs.sys driver.
The attack chain, as described by Andrey Chizhov of BI.ZONE, begins in the dllhost.exe address space, using standard post-exploitation methods to gather kernel-space addresses via NtQuerySystemInformation. Attackers then invoke RtlSetAllBits within the kernel to enable all process privileges by traversing EPROCESS structures.
The exploitation hinges on a vulnerability in clfs.sys, the Common Log File System driver. The attackers first create a custom .blf log file at C:\ProgramData\SkyPdf\PDUDrv.blf, then escalate privileges and inject malicious payloads into processes like winlogon.exe, procdump.exe, and finally into dllhost.exe to exfiltrate LSASS memory and steal credentials:
This access ultimately enables the deployment of RansomEXX, launched again through dllhost.exe:
This vulnerability’s exploitation underscores a rising trend: kernel-mode driver abuse for privilege escalation. According to Chizhov:
“clfs.sys—along with afd.sys and win32k.sys—has become a popular target for adversaries. Vulnerabilities in these drivers are frequently exploited in the wild during various attack campaigns.”
Mitigating such threats requires more than just patching. While Microsoft’s April 2025 update addresses this specific issue, defenders should:
- Deploy Endpoint Detection and Response (EDR) tools to detect abnormal behavior post-exploitation.
- Regularly apply security updates to close zero-day exposure windows.
- Conduct penetration testing to identify privilege escalation paths.
- Monitor critical driver interactions for anomalous access patterns.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
