Find notable cyber news and cases, enriched with sources, timelines, and signals.

Windows CLFS privilege-escalation flaw actively exploited (CVE-2025-29824)

Vulnerability
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-29824 in Windows Common Log File System (CLFS) is being actively exploited for privilege escalation and ransomware intrusion, despite Microsoft addressing it in April 2025. The flaw is tied to Storm-2460 and the deployment of PipeMagic in RansomExx attacks. Reported activity in 2025 shows continued abuse of a patched Windows weakness across multiple regions.

Related Happenings

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
H score59 First: 07.04.2026 13:02 Last: 07.04.2026 13:02 Sources 1

About this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
H score20 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...

CyberVolk VolkLocker RaaS debut targeting Linux/VMware ESXi and Windows

Malware Activity
H score15 First: 13.12.2025 17:11 Last: 13.12.2025 17:11 Sources 1

About this happening: **CyberVolk** expanded its **VolkLocker** ransomware operation in **August 2025**, putting **Linux/VMware ESXi** and **Windows** environments at risk. The malware’s **Golang timer...

Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics

Threat Actor Meta
H score23 First: 09.12.2025 15:37 Last: 09.12.2025 15:37 Sources 1

About this happening: **Storm-0249** is moving from **initial access brokering** to **domain spoofing**, **DLL side-loading**, and **fileless PowerShell** to support **ransomware attacks**. The shift m...

Timeline

  1. 18.08.2025 19:03 1 articles · 10mo ago

    Storm-2460 exploitation of CVE-2025-29824 disclosed

    Initial Disclosure

    Storm-2460 is exploiting CVE-2025-29824 in Microsoft Windows Common Log File System (CLFS) to deploy PipeMagic during RansomExx ransomware attacks, with 2025 activity linked to organizations in Saudi Arabia and Brazil and Microsoft having addressed the flaw in April 2025.

    Show sources