Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Zero-Day Vulnerability in Microsoft Windows Common Log File System (CLFS) Driver
Alerts

Zero-Day Vulnerability in Microsoft Windows Common Log File System (CLFS) Driver

9 April 2025

Microsoft has released security updates to address a zero-day vulnerability affecting Windows CLFS Driver. Users and administrators using Windows systems are advised to update to the latest versions immediately.

Microsoft has released security updates addressing a vulnerability (CVE-2025-29824) affecting their Windows Common Log File System Driver. The vulnerability is reportedly being exploited in ransomware attacks.

Successful exploitation of the use-after-free vulnerability could allow attackers with standard user account access to gain system privileges on the Windows machines.   

The vulnerability affects the following product versions:    

  • All versions of Windows Server up to 2025

  • Windows 10 

  • Windows 11

Users and administrators of affected products are advised to update to the latest versions immediately. Security teams are also advised to monitor the CLFS driver closely using Extended Detection and Response/ Endpoint Detection and Response tools. 

Users and administrators are also advised to review their devices for any indicators of compromise as follows:

Indicators of Compromise

Indicator

Type

Description

C:\ProgramData\SkyPDF\PDUDrv.blf

Path

Dropped during CLFS exploit

C:\Windows\system32\dllhost.exe –do

Command line

Injected dllhost

bcdedit /set {default} recoveryenabled no

Command line

Ransomware command

wbadmin delete catalog -quiet

Command line

Ransomware command

wevtutil cl Application

Command line

Ransomware command

aaaaabbbbbbb.eastus.cloudapp.azure[.]com

Domain

Used by PipeMagic

More information is available here:

https://nvd.nist.gov/vuln/detail/CVE-2025-29824

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

https://www.helpnetsecurity.com/2025/04/08/patch-tuesday-microsoft-zero-day-cve-2025-29824/

https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

https://therecord.media/microsoft-zero-day-used-ransomware-attack-real-estate


Back to top