[German]There is a use-after-free vulnerability CVE-2025-29824 in Windows, which has probably already been exploited by ransomware groups. Microsoft has released security updates for April 2025 that also close this vulnerability. Users and administrators should therefore install the April 2025 updates for Windows promptly to secure their systems.
Advertising
The vulnerability CVE-2025-29824
The vulnerability CVE-2025-29824 is a "use after free" flaw in the Windows Common Log File System Driver. I had already pointed out the Windows Common Log File System Driver Elevation of Privilege vulnerability on April 8, 2025 in the blog post Microsoft Security Update Summary (April 8, 2025). This is classified as "important" with a CVEv3 score of 7.8, as it allows an authorized local attacker to elevate privileges locally (on SYSTEM).
The problem: This 0-day vulnerability was already exploited in the wild before the April 2025 patchday. Microsoft discovered this vulnerability in ransomware distributed by the PipeMagic malware via the Storm-2460 group.
In the blog post Exploitation of CLFS zero-day leads to ransomware activity Microsoft already pointed this out on April 8, 2025 and disclosed details. It states that the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) discovered the 0-day vulnerability in the Windows Common Log File System (CLFS) after a small number of targets were compromised via CVE-2025-29824. The targets include information technology (IT) and real estate companies in the United States, the financial sector in Venezuela, a Spanish software company and the retail sector in Saudi Arabia.
Microsoft has patched CVE-2025-29824
Microsoft has published the security advisory CVE-2025-29824 on April 8, 2025 and released fixes in the April 2025 security updates for all Windows versions still in support.
The security updates are available for 32- and 64-bit versions of Windows 7 SP1 to Windows 11 24H2 and Windows Server 2008 R2 to Windows Server 2025 via the relevant update channels (either Windows Update or Microsoft Update Catalog). For systems such as Windows 7 SP1, Windows Server 2008 R2 and 2012/R2, however, an ESU license is required to install the patches.
Advertising
There were no security updates for Windows 10 1507 on the patchday on April 8, 2025. However, since April 9, 2025, the fixes in the subsequently released security update for Windows 10 1507 (RTM) have also been available (see Windows 10/11: All updates for Windows from the April 2025 patchday available). But I got reports from German blog readers, that they could not download all patches from Microsoft Update Catalog.
The updates are listed in the blog posts Patchday: Windows 10/11 Updates (April 8, 2025) and Patchday: Windows Server-Updates (April 8, 2025). In view of the fact that the vulnerability CVE-2025-29824 has already been exploited by ransomware, Windows systems should be provided with the April 2025 security updates as soon as possible.
The problem arises on systems where these updates cannot be installed. The cause of the problem should be determined and rectified here.
Similar articles:
Microsoft Security Update Summary (April 8, 2025)
Patchday: Windows 10/11 Updates (April 8, 2025)
Patchday: Windows Server-Updates (April 8, 2025)
Patchday: Microsoft Office Updates (April 8, 2025)
Word/Excel 2016 crashing after April 2025 update KB5002700
Outlook 2016: Calendar access blocked after April 2025 update KB5002700
Windows 10/11: All updates for Windows from the April 2025 patchday available
Advertising
"The security updates are available for 32- and 64-bit versions of Windows 7 SP1 to Windows 11 24H2 and Windows Server 2008 R2 to Windows Server 2025 via the relevant update channels (either Windows Update or Microsoft Update Catalog)."
not true for Win7
no such updates exist for Windows 7 SP1 as that specific version is NOT listed in MS security advisory CVE-2025-29824