CVE-2025-29824

HIGH KEV RANSOMWARE

Windows Common Log File System Driver - Use-After-Free

Title source: llm

Exploitation Summary

CVE-2025-29824 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 8, 2025, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including encrypter15, AfanPan, uname1able.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2025-29824, a use-after-free vulnerability in the Windows Common Log File System (CLFS) kernel driver. The exploit escalates privileges from a standard user to SYSTEM by leveraging a race condition in W32PROCESS handling.

Description

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Exploits (4)

nomisec WORKING POC 24 stars

by encrypter15 · local

https://github.com/encrypter15/CVE-2025-29824

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-29824, a use-after-free vulnerability in the Windows Common Log File System (CLFS) kernel driver. The exploit escalates privileges from a standard user to SYSTEM by leveraging a race condition in W32PROCESS handling.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows 10 21H2 (build < 19044.4291, pre-patch)

No auth needed

Prerequisites: Windows 10 21H2 (pre-patch) · Visual Studio 2022 with Windows Driver Kit · WinDbg for kernel debugging · Ghidra for reverse-engineering · Air-gapped VM environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 19 stars

by AfanPan · poc

https://github.com/AfanPan/CVE-2025-29824-Exploit

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-29824, a privilege escalation vulnerability in Windows CLFS (Common Log File System). The exploit leverages a use-after-free (UAF) condition to achieve SYSTEM privileges via token manipulation.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows CLFS (affecting Windows 7 to Server 2025)

No auth needed

Prerequisites: Unpatched Windows system (pre-April 2025) · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by uname1able · dos

https://github.com/uname1able/CVE-2025-29824

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2025-29824, targeting Windows 10 and 11 systems. It includes PoC code for both crash (BSOD) and local privilege escalation (LPE) scenarios, along with a driver to monitor CLFS.SYS IRP requests.

Classification

Working Poc 95%

Attack Type

Lpe | Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 10 (21H2) and Windows 11 (23H2)

No auth needed

Prerequisites: Windows SDK 10.0 · Visual Studio 2022 (v143) · C++14 standard

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism T1499 - Endpoint Denial of Service

devstral-2 · analyzed Mar 17, 2026 Full analysis →

patchapalooza WRITEUP

by zmkeh · local

https://github.com/zmkeh/CVE-2025-29824-CLFS-Local-privilege-escalation

View Code ZIP pw:eip

This is a detailed technical analysis of CVE-2025-29824, a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. The writeup includes root cause analysis, reverse-engineered code snippets, and an explanation of the pool feng shui race condition leading to a use-after-free (UAF) vulnerability.

Classification

Writeup 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows CLFS driver

Auth required

Prerequisites: Local access to the system · Ability to create and manipulate CLFS log files

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-detection-script

Exploit, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-29824-windows-common-log-file-system-driver-elevation-of-privilege-vulnerability-mitigation-script

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-29824

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

Scores

CVSS v3 7.8

EPSS 0.0083

EPSS Percentile 75.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-04-08

VulnCheck KEV 2025-04-08

ENISA EUVD EUVD-2025-10122

Ransomware Use Confirmed

CWE

CWE-416

Status published

Products (17)

microsoft/windows_10_1507 < 10.0.10240.20978 (2 CPE variants)

microsoft/windows_10_1607 < 10.0.14393.7969 (2 CPE variants)

microsoft/windows_10_1809 < 10.0.17763.7136 (2 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.5737 (3 CPE variants)

microsoft/windows_10_22h2 < 10.0.19045.5737 (3 CPE variants)

microsoft/windows_11_22h2 < 10.0.22621.5189 (2 CPE variants)

microsoft/windows_11_23h2 < 10.0.22631.5189 (2 CPE variants)

microsoft/windows_11_24h2 < 10.0.26100.3775 (2 CPE variants)

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

... and 7 more

Published Apr 08, 2025

KEV Added Apr 08, 2025

Tracked Since Feb 18, 2026