Multiple ransomware groups appear to have exploited a recently patched Windows vulnerability as a zero-day, Symantec reported.
The vulnerability in question is tracked as CVE-2025-29824 and it was patched by Microsoft with its April 2025 Patch Tuesday updates. The flaw impacts the Windows Common Log File System (CLFS) and it can be exploited by an attacker to escalate privileges.
On the day it released the patches, Microsoft revealed that CVE-2025-29824 had been exploited by cybercriminals in attacks aimed at a “small number of targets”, including in the IT and real estate sectors in the US, the financial industry in Venezuela, the retail sector in Saudi Arabia, and a Spanish software firm.
Microsoft attributed the attack to a threat actor it tracks as Storm-2460, which exploited the vulnerability to deploy a piece of malware named PipeMagic, typically used to deploy ransomware. The tech giant found evidence suggesting that the zero-day had been exploited in RansomEXX ransomware attacks.
Symantec revealed on Wednesday that at least one other threat group exploited CVE-2025-29824 before it was patched by Microsoft. The Broadcom threat intelligence unit observed exploitation of the vulnerability against an organization in the United States.
Its analysis showed that the attackers used the flaw to deploy an infostealer named Grixba, which is associated with a threat actor tracked by Symantec as Balloonfly, known for conducting Play ransomware attacks. However, no actual ransomware payload was deployed in the attack.
In the incident seen by Symantec, the hackers may have exploited a Cisco ASA vulnerability for initial access and they then moved laterally on the network before deploying an exploit for CVE-2025-29824.
“The exploit (or similar exploits) may have been in the hands of multiple actors prior to the patching of CVE-2025-29824,” Symantec said.
“The nature of the exploitation by Storm-2460 appears different from the Balloonfly-linked activity discovered by Symantec. Microsoft said that the exploit had been launched in memory from a dllhost.exe process. The exploitation discovered by Symantec was not fileless,” it added.
Related: Newly Patched Windows Zero-Day Exploited for Two Years
Related: Ransomware Group Claims Attacks on UK Retailers
Related: US Charges Yemeni Man for Black Kingdom Ransomware Attacks