CVE-2025-29824
clfs.sys — Common Log File System elevation of privilege via log file metadata corruption
Exploited in the Wild
Actively exploited by Storm-2460 threat actor to deploy RansomEXX ransomware in April 2025. Targets included IT and real estate organizations in the United States, financial sector in Venezuela, a Spanish software company, and Saudi retail.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Use-After-Free / Logic Bug |
| Vulnerable Build | 10.0.26100.3476 and earlier |
| Fixed Build | 10.0.26100.3775 (KB5055523, April 2025) |
| Exploited ITW | Yes |
Affected Functions
- CClfsBaseFilePersisted::LoadContainerQ
- ClfsDecodeBlock
- CClfsBaseFilePersisted::WriteMetadataBlock
Root Cause
The Common Log File System (clfs.sys) is responsible for managing Base Log Files (BLF) and their associated metadata. The vulnerability exists in how CLFS processes container context structures within a BLF file. When loading container descriptors from disk, the LoadContainerQ function does not adequately validate offsets stored in the base record header.
An attacker can craft a malicious BLF file where container context offsets point beyond the bounds of the base record allocation. When CLFS processes this file, it reads and writes using these corrupted offsets, leading to out-of-bounds memory access in the kernel pool. The corrupted offset allows the attacker to manipulate adjacent pool memory, effectively creating a use-after-free condition when the log is subsequently closed or flushed.
AutoPiff categorizes this as out-of-bounds write via corrupted metadata offset with detection rules:
added_offset_bounds_check— identifies new validation on BLF structure offsets in the patchadded_container_count_validation— detects container array bounds checkingmodified_blf_parser_logic— flags changes to core BLF parsing routines
Exploitation
Storm-2460 leveraged this vulnerability as part of a multi-stage attack chain. Initial access was achieved through various means, after which the PipeMagic backdoor was deployed. The exploit targets the CLFS vulnerability to escalate privileges from a standard user to SYSTEM.
The exploitation follows the established CLFS corruption pattern: a crafted BLF file is written to disk with manipulated container context offsets. When the log file is opened and processed by the kernel, the corrupted offsets cause out-of-bounds writes in the NonPagedPoolNx. The attacker uses pool spray with named pipe objects to control adjacent allocations, and the OOB write corrupts a pipe attribute entry.
The corrupted pipe attribute provides an arbitrary read primitive via FSCTL_PIPE_GET_ATTRIBUTE, which is used to leak kernel addresses (defeating KASLR) and locate the current process _EPROCESS structure. A second stage uses the I/O Ring technique to achieve a stable arbitrary write, which performs a token swap — overwriting the current process token pointer with the SYSTEM token to achieve full privilege escalation.
After gaining SYSTEM privileges, the exploit injects a payload into winlogon.exe and deploys the RansomEXX ransomware. The exploit was observed only on Windows 11 24H2 systems; Windows 11 version 24H2 systems updated after April 2025 are protected.
Patch Analysis
The April 2025 security update adds bounds validation to the BLF metadata parsing routines. Specifically, LoadContainerQ now validates that container context offsets fall within the allocated base record size before dereferencing them. Additional checks were added to ClfsDecodeBlock to verify the integrity of sector offset arrays in log block headers.
The patch also introduces stricter validation in WriteMetadataBlock to prevent writing corrupted metadata back to disk, reducing the attack surface for persistent BLF manipulation.
AutoPiff detects this change via the added_offset_bounds_check rule, which identifies new comparison instructions that validate structure offsets against allocation boundaries before pointer arithmetic operations.
Detection
YARA Rule
rule CVE_2025_29824_CLFS {
meta:
description = "Detects vulnerable version of clfs.sys (pre-patch)"
cve = "CVE-2025-29824"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "clfs.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.26100.3476" wide ascii
$blf_marker = { 42 4C 46 30 }
$func_load = "CClfsBaseFilePersisted::LoadContainerQ" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
rule CVE_2025_29824_BLF_Artifact {
meta:
description = "Detects crafted BLF file with suspicious container context offsets"
cve = "CVE-2025-29824"
author = "KernelSight"
severity = "high"
strings:
$blf_magic = { 42 4C 46 30 }
$container_ctx = { 00 00 00 00 ?? ?? ?? ?? FF FF FF FF }
condition:
$blf_magic at 0 and $container_ctx
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-CLFS |
BLF file open/create operations | Detects creation or manipulation of CLFS log files, the attack entry point |
Microsoft-Windows-Kernel-Audit |
Token modification events | Captures the SYSTEM token swap performed after exploitation |
Microsoft-Windows-Security-Auditing |
Event 4688 — Process creation | Detects winlogon.exe spawning unexpected child processes post-injection |
Microsoft-Windows-Kernel-Process |
Process token change | Identifies the privilege escalation from standard user to SYSTEM |
Behavioral Indicators
- An unprivileged user process calling
CreateLogFile/AddLogContainerto create or open BLF log files in user-writable directories, followed immediately by kernel-mode CLFS processing errors - Heavy
NtFsControlFileactivity with FSCTL_PIPE_GET_ATTRIBUTE indicating named pipe attribute reads used to build the arbitrary-read primitive after pool corruption - Anomalous NonPagedPoolNx allocation patterns consistent with named pipe object pool spraying preceding the BLF file open
- Sudden token replacement on a low-privilege process (observable via
_EPROCESS.Tokenpointer change) escalating to SYSTEM without going through standard UAC or service elevation - Post-exploitation injection into
winlogon.exefrom a non-SYSTEM process, followed by ransomware file I/O (bulk file renames/encryptions)