Overview
CVE-2025-29824 is a use-after-free vulnerability in the Windows Common Log File System (CLFS) kernel driver (clfs.sys). Microsoft confirmed active exploitation by the RansomEXX ransomware group (tracked as Storm-2460) prior to the April 2025 Patch Tuesday fix.
Affected Versions
- Windows 10 (all supported versions)
- Windows 11 22H2, 23H2 — Note: 24H2 was NOT affected
- Windows Server 2016, 2019, 2022
Exploitation in the Wild
Attackers used this vulnerability as a post-exploitation privilege escalation step following initial access via phishing. The exploit allowed unprivileged users to corrupt kernel memory and inject code into SYSTEM-level processes before deploying the ransomware payload.
Patch
Fixed in KB5055523 / KB5055521 (April 8, 2025 Patch Tuesday). Apply immediately. If immediate patching is not possible, restrict clfs.sys access via ASR rules and enable Microsoft Defender for Endpoint behavioral blocking.