Microsoft April 2025 Patch Tuesday: Actively Exploited CLFS Zero-Day (CVE-2025-29824) and 11 Critical RCE Flaws Across 121 CVEs

Microsoft’s April 2025 Patch Tuesday release addressed 121 CVEs, including one actively exploited zero-day and 11 critical vulnerabilities—all assessed as remote code execution (RCE) issues by multiple exposure-management and security research teams. According to Tenable’s April 2025 Patch Tuesday analysis and Rapid7’s April 2025 Patch Tuesday write-up, the zero-day is CVE-2025-29824, a Windows Common Log File System (CLFS) elevation-of-privilege (EoP) flaw exploited in the wild.

Microsoft’s own threat intelligence reporting states that exploitation of CVE-2025-29824 was observed post-compromise and used to enable ransomware activity by a cluster Microsoft tracks as Storm-2460, including credential theft and destructive impact steps. See Microsoft Threat Intelligence’s analysis of the CLFS zero-day and related ransomware activity.

Note on counting: Some third-party reporting cites a higher total (e.g., 134) depending on whether browser and platform-specific issues (such as Edge/Chromium or other “outside the core Windows/MSRC roll-up” items) are included. For example, BleepingComputer’s April 2025 Patch Tuesday coverage uses a different counting methodology than sources focusing strictly on the 121 CVEs in the primary release.

1. Executive Summary

April 2025 Patch Tuesday is notable for in-the-wild exploitation of CVE-2025-29824, a CLFS kernel-driver EoP that Microsoft says enabled ransomware operations following initial compromise. Microsoft Threat Intelligence attributes the observed activity to Storm-2460 and links it to PipeMagic malware deployment and subsequent ransomware behaviours. In parallel, Microsoft released fixes for 11 critical RCE vulnerabilities among 121 total CVEs, increasing the urgency for enterprises with exposed services such as LDAP and Remote Desktop Gateway. Rapid7 and Tenable both recommend prioritising patch deployment for internet-adjacent assets and high-value identity infrastructure.

2. Contextual Background

2.1 Nature of the threat

Actively exploited zero-day (EoP): CVE-2025-29824 (Windows CLFS)
Vendor advisory: Microsoft Security Update Guide entry for CVE-2025-29824
NVD: NVD
Microsoft describes this as a post-compromise exploit chain element used to escalate privileges and support ransomware deployment. (Microsoft Threat Intelligence reporting)

Representative critical RCE vulnerabilities highlighted by researchers (non-exhaustive):

CVE-2025-26663 (Windows LDAP Server – critical RCE)
Vendor advisory: Microsoft Security Update Guide entry for CVE-2025-26663
NVD: NVD
Rapid7 flags LDAP server patching as high priority for most Microsoft-heavy environments. (Rapid7)
CVE-2025-27480 (Remote Desktop Gateway Service – critical RCE)
Vendor advisory: Microsoft Security Update Guide entry for CVE-2025-27480
NVD: NVD
Rapid7 highlights Remote Desktop Services components as recurring high-risk patch targets. (Rapid7)
CVE-2025-29794 (SharePoint – RCE)
Vendor advisory: Microsoft Security Update Guide entry for CVE-2025-29794
NVD: NVD

2.2 Threat-actor attribution

Storm-2460 (Confirmed) — Microsoft attributes the observed exploitation and follow-on ransomware activity to an actor it tracks as Storm-2460, including deployment of PipeMagic and post-exploitation credential access and destructive actions. (Microsoft Threat Intelligence)

Microsoft further notes that the ransom note and infrastructure observed overlaps with reporting tied to the RansomEXX ecosystem; however, defenders should treat this as campaign-level linkage rather than definitive code-family confirmation, as Microsoft states it could not obtain a ransomware sample for analysis. (Microsoft Threat Intelligence)

2.3 Sector and geographic targeting

Microsoft reports a small number of targets across multiple sectors and geographies, including organisations in IT and real estate (United States), financial services (Venezuela), a software company (Spain), and retail (Saudi Arabia). (Microsoft Threat Intelligence)

3. Technical Analysis

3.1 Vulnerability and TTP overview

CVE-2025-29824 is described as a CLFS kernel-driver use-after-free leading to local privilege escalation, enabling attackers with an existing foothold to obtain SYSTEM-equivalent capabilities and proceed with credential theft and ransomware deployment. (NVD) (Microsoft Threat Intelligence)

Based on behaviours Microsoft describes in the observed intrusions, the following ATT&CK techniques are relevant:

Ingress tool transfer via certutil: T1105 (Ingress Tool Transfer) — Microsoft observed certutil used to download files from a compromised legitimate site. (Microsoft Threat Intelligence)
Signed binary proxy execution (MSBuild): T1127.001 (MSBuild) — malicious MSBuild file used to execute/decrypt payloads. (Microsoft Threat Intelligence)
Process injection: T1055 (Process Injection) — payload injection into winlogon.exe is described post-exploitation. (Microsoft Threat Intelligence)
OS credential dumping (LSASS): T1003.001 (LSASS Memory) — procdump-style dumping of LSASS is described. (Microsoft Threat Intelligence)
Inhibit system recovery: T1490 (Inhibit System Recovery) — commands such as wbadmin delete and disabling recovery are listed. (Microsoft Threat Intelligence)
Clear Windows event logs: T1070.001 (Clear Windows Event Logs) — wevtutil cl is cited as part of ransomware activity. (Microsoft Threat Intelligence)
Data encrypted for impact: T1486 (Data Encrypted for Impact) — Microsoft observed ransomware encryption and ransom note deployment. (Microsoft Threat Intelligence)

3.2 Exploitation status

Confirmed exploitation in the wild: Microsoft states it observed exploitation of CVE-2025-29824 against a small number of customers. (Microsoft Threat Intelligence)

CISA KEV: Rapid7 notes the exploited status is reflected in CISA’s Known Exploited Vulnerabilities programme. (Rapid7) CISA also issued an alert on 8 April 2025 regarding additions to the KEV catalogue. (CISA alert)

Platform note: Microsoft indicates Windows 11 version 24H2 was not affected by the observed exploitation due to changes around access to certain system information classes. (Microsoft Threat Intelligence)

4. Impact Assessment

4.1 Severity and scope

CVE-2025-29824 carries a CVSS v3.1 base score of 7.8 (High) on NVD and enables local privilege escalation, which is especially dangerous when chained after an initial compromise. NVD

The broader Patch Tuesday release includes 11 critical RCE flaws, which often represent a higher “blast radius” risk when they affect ubiquitous services (e.g., LDAP) or perimeter-adjacent roles (e.g., Remote Desktop Gateway). (Rapid7) (Tenable)

4.2 Victim profile

Microsoft’s observed victims spanned multiple sectors and regions (US, Venezuela, Spain, Saudi Arabia), with activity consistent with targeted ransomware operations rather than opportunistic mass exploitation at time of reporting. (Microsoft Threat Intelligence)

5. Indicators of Compromise (IOCs)

5.1 IOC table

Type	Value	Context/Notes	Source
File path	`C:\ProgramData\SkyPDF\PDUDrv.blf`	CLFS BLF file created by the exploit (observed during exploitation)	Microsoft Threat Intelligence research
Domain	`aaaaabbbbbbb.eastus.cloudapp.azure[.]com`	Domain Microsoft associates with a PipeMagic sample; reportedly disabled	Microsoft Threat Intelligence research
Command line	`dllhost.exe -accepteula -r -ma lsass.exe c:\programdata\[random]`	LSASS dumping via injected Sysinternals procdump behaviour	Microsoft Threat Intelligence research
Command line	`C:\Windows\system32\dllhost.exe --do [path]`	Ransomware launched from `dllhost.exe` with `--do` argument	Microsoft Threat Intelligence research
Command line	`bcdedit /set {default} recoveryenabled no`	Recovery inhibition observed as part of ransomware activity	Microsoft Threat Intelligence research
Command line	`wbadmin delete catalog -quiet`	Backup catalogue deletion (recovery inhibition)	Microsoft Threat Intelligence research
Command line	`wevtutil cl Application`	Event log clearing observed in ransomware activity	Microsoft Threat Intelligence research
Ransom note	`!_READ_ME_REXX2_!.txt`	Ransom note name reported by Microsoft (ransomware sample not obtained)	Microsoft Threat Intelligence research

5.2 Detection guidance

Microsoft published hunting queries and detection guidance aligned to the activity, including:

Hunting for BLF creation under C:\ProgramData\SkyPDF\ via endpoint telemetry
Process creation with LSASS dump command lines resembling dllhost.exe -accepteula -r -ma lsass.exe
Command lines consistent with recovery inhibition and log clearing (e.g., wbadmin delete, wevtutil cl)

See the “Hunting queries” and “Indicators of compromise” sections in Microsoft’s CLFS zero-day ransomware analysis for Microsoft Sentinel / Defender-focused query patterns.

6. Incident Response Guidance

6.1 Containment, eradication, and recovery

Patch immediately across affected Windows versions, prioritising assets that are high value (domain controllers, identity services, management servers) and any systems with signs of post-compromise tooling. Microsoft confirms a fix for CVE-2025-29824 shipped on 8 April 2025. (Microsoft Threat Intelligence)
Isolate suspected hosts exhibiting BLF creation at the noted path, suspicious dllhost.exe injection patterns, or LSASS access/dumping behaviour.
Credential hygiene: Assume credential exposure if LSASS dumping is suspected; prioritise resets for privileged accounts, rotate secrets, and consider tiered remediation (break-glass accounts, service accounts, Kerberos keys as appropriate to your environment).
Recover safely: Validate backups are intact and offline/immutable; Microsoft observed commands intended to inhibit recovery. (Microsoft Threat Intelligence)

6.2 Forensic artefacts to collect and preserve

Endpoint triage packages (process trees, loaded modules, autoruns, scheduled tasks)
Security event logs (process creation), EDR telemetry, and crash dumps if available
Filesystem artefacts: C:\ProgramData\SkyPDF\ directory contents; ransom note(s)
Memory captures for systems where injection/credential dumping is suspected

6.3 Lessons learned

Ransomware operators continue to value post-compromise privilege escalation—patching EoP bugs reduces the chance that initial access turns into domain-wide impact. (Microsoft Threat Intelligence)
Identity and perimeter services (LDAP, RDS roles) remain frequent “priority patch” categories when critical RCEs land. (Rapid7)

7. Threat Intelligence Contextualisation

7.1 Similar past incidents

Rapid7 highlights CLFS as a recurring location for high-impact Windows EoP vulnerabilities and notes the repeating pattern of attacker value: local escalation to SYSTEM enabling credential theft, defence evasion, and ransomware deployment. (Rapid7 Patch Tuesday analysis)

7.2 Full MITRE ATT&CK mapping

Tactic	Technique ID	Technique Name	Observed Behaviour
Command and Control	T1105	Ingress Tool Transfer	Use of `certutil` to download malware from a compromised third-party site.
Defense Evasion / Execution	T1127.001	MSBuild	Malicious MSBuild file used to execute/decrypt payload and run it via callback.
Privilege Escalation	T1068	Exploitation for Privilege Escalation	CLFS zero-day exploited to escalate privileges post-compromise (CVE-2025-29824).
Defense Evasion / Privilege Escalation	T1055	Process Injection	Payload injected into `winlogon.exe`; additional injection behaviours observed.
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	LSASS dump via `procdump`-style execution from `dllhost.exe`.
Impact	T1486	Data Encrypted for Impact	Ransomware encryption and ransom note deployment reported by Microsoft.
Impact	T1490	Inhibit System Recovery	Backup deletion and recovery setting modifications (e.g., `wbadmin`, `bcdedit`).
Defense Evasion	T1070.001	Clear Windows Event Logs	Log clearing observed using `wevtutil`.

ATT&CK mapping is derived from behaviours explicitly described by Microsoft in its incident analysis. (Microsoft Threat Intelligence)

8. Mitigation Recommendations

8.1 Actionable hardening steps

Enable and tune endpoint protections that can block post-compromise behaviours (process injection, LSASS access, ransomware-like encryption bursts). Microsoft specifically recommends enabling cloud-delivered protection and EDR capabilities where available. (Microsoft Threat Intelligence guidance)
Reduce credential theft blast radius: enforce least privilege, limit local admin membership, and implement credential guard / LSASS protection where compatible with your environment.
Harden management and identity planes: monitor LDAP and RDS role exposure, restrict access paths, and ensure only necessary endpoints can reach administrative services.

8.2 Patch management advice

Priority 1 (immediate): CVE-2025-29824 (actively exploited). Vendor advisory: Microsoft Security Update Guide | NVD
Priority 2 (urgent): Critical RCEs affecting common or internet-facing roles (e.g., LDAP server, Remote Desktop Gateway). For example: CVE-2025-26663 (LDAP) (Microsoft advisory) / (NVD), and CVE-2025-27480 (RD Gateway) (Microsoft advisory) / (NVD). (Rapid7 prioritisation discussion)

9. Historical Context & Related Vulnerabilities

9.1 Previously exploited vulnerabilities in the same product family

Security researchers have repeatedly highlighted CLFS as a recurring source of Windows EoP issues used in real-world attack chains, and Rapid7 explicitly situates April 2025’s CLFS zero-day in that broader pattern. (Rapid7)

9.2 Related coverage

10. Future Outlook

10.1 Emerging trends

Microsoft’s reporting reinforces a continuing trend: ransomware operators increasingly rely on post-compromise privilege escalation to turn initial access into domain-wide control, followed quickly by credential theft and recovery inhibition. (Microsoft Threat Intelligence)

10.2 Likely evolution

Given the presence of multiple critical RCE patches in commonly deployed services, defenders should anticipate: (1) accelerated scanning for exposed LDAP/RDS/SharePoint surfaces following patch release, and (2) increased exploit “chaining” where EoP bugs like CVE-2025-29824 are used to deepen access after initial compromise. This is a risk-based assessment informed by the prioritisation commentary in Rapid7’s Patch Tuesday analysis and the post-compromise ransomware sequencing described by Microsoft Threat Intelligence.